Analysis Report PO 367628usa.exe

Overview

General Information

Sample Name:	PO 367628usa.exe
Analysis ID:	412247
MD5:	42cf4c3943d5a839412a16a4d8b8d65d
SHA1:	f26230352a412de0ca8b1ffc6fc07838b878a68a
SHA256:	1ceec55d4acbb8db907798df6b1be5832f32d2d4e459c5bd08d0252a0763b30c
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.uuoouu-90.store/meub/"], "decoy": ["ebookcu.com", "sherwooddaydesigns.com", "healthcarebb.com", "pixelflydesigns.com", "youtegou.net", "audiokeychin.com", "rioranchoeventscenter.com", "nickofolas.com", "comicstattoosnguns.com", "ally.tech", "paperplaneexplorer.com", "janetkk.com", "sun1981.com", "pocopage.com", "shortagegoal.com", "tbluelinux.com", "servantsheartvalet.com", "jkhushal.com", "91huangyu.com", "portlandconservatory.net", "crazyasskaren.com", "gr8.photos", "silviabiasiolipatisserie.com", "goeseo.com", "shellyluther.com", "salvemosalsuroeste.com", "technologies.email", "xn--80aasvjfhla.xn--p1acf", "dmowang.com", "mylifeusaaatworkportal.com", "electronicszap.com", "thefrankversion.com", "patricksparber.com", "m-kenterprises.com", "goodcreditcardshome.info", "shegotit.club", "nutinbutter.com", "bridgestreetresources.com", "tjanyancha.com", "qqstoneandcabinet.com", "topstitch.info", "shadyshainarae.com", "meucamarimoficial.com", "gatedless.net", "aal888.com", "tstcongo.com", "luckyladybugnailswithlisa.com", "usapersonalshopper.com", "893645tuerigjo.com", "pbjusering.com", "katbumydbnjk.mobi", "bostonm.info", "amesshop.com", "k-9homefinders.com", "philbaileyrealestate.com", "ahxinnuojie.com", "ardougne.com", "pasteleriaruth.com", "vauvakuumettapodcast.com", "aryamakoran.com", "digitalspacepod.com", "clarkstrain.com", "plantbasedranch.com", "therapylightclub.com"]}

Multi AV Scanner detection for submitted file

Source: PO 367628usa.exe

Virustotal: Detection: 35%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: PO 367628usa.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.PO 367628usa.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: PO 367628usa.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO 367628usa.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.372619692.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO 367628usa.exe, 00000005.00000002.390342174.00000000018A0000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.590539014.0000000004BB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO 367628usa.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: PO 367628usa.exe, 00000005.00000002.391160036.00000000034E0000.00000040.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: PO 367628usa.exe, 00000005.00000002.391160036.00000000034E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.372619692.000000000DC20000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00DD16E8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_00DD1658
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4x nop then pop esi	5_2_00415838
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi	9_2_00925838

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 209.182.202.96:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 209.182.202.96:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 209.182.202.96:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49752 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.uuoouu-90.store/meub/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.servantsheartvalet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.m-kenterprises.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.bridgestreetresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 66.235.200.147 66.235.200.147

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Source: Joe Sandbox View	ASN Name: IMH-WESTUS IMH-WESTUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.servantsheartvalet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.m-kenterprises.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.bridgestreetresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY HTTP/1.1Host: www.shadyshainarae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.servantsheartvalet.com

Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO 367628usa.exe, 00000000.00000002.346748080.0000000002EB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/1
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000002.589360759.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: raserver.exe, 00000009.00000002.589924154.0000000002F3C000.00000004.00000020.sdmp	String found in binary or memory: http://www.patricksparber.com/
Source: raserver.exe, 00000009.00000002.589924154.0000000002F3C000.00000004.00000020.sdmp	String found in binary or memory: http://www.patricksparber.com/K
Source: raserver.exe, 00000009.00000002.589940302.0000000002F43000.00000004.00000020.sdmp	String found in binary or memory: http://www.patricksparber.com/meub/?5jYHTPD=q/3go0TMrjOOicJ8yyeZoSSUK4YYViZWgar0VOI0LAyS1IHPJrhhqQPM
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.371695553.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: PO 367628usa.exe, 00000000.00000002.345992279.00000000029A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: PO 367628usa.exe, 00000000.00000002.345192885.0000000000B2B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

PE file contains section with special chars

Source: PO 367628usa.exe

Static PE information: section name: ^8+S|rz

PE file has nameless sections

Source: PO 367628usa.exe

Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004181C0 NtCreateFile,	5_2_004181C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00418270 NtReadFile,	5_2_00418270
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004182F0 NtClose,	5_2_004182F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004183A0 NtAllocateVirtualMemory,	5_2_004183A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004181BC NtCreateFile,	5_2_004181BC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041826A NtReadFile,	5_2_0041826A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_004182EC NtClose,	5_2_004182EC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041839B NtAllocateVirtualMemory,	5_2_0041839B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019099A0 NtCreateSection,LdrInitializeThunk,	5_2_019099A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_01909910
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019098F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_019098F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909840 NtDelayExecution,LdrInitializeThunk,	5_2_01909840
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01909860
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_01909A00
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A20 NtResumeThread,LdrInitializeThunk,	5_2_01909A20
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A50 NtCreateFile,LdrInitializeThunk,	5_2_01909A50
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019095D0 NtClose,LdrInitializeThunk,	5_2_019095D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909540 NtReadFile,LdrInitializeThunk,	5_2_01909540
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909780 NtMapViewOfSection,LdrInitializeThunk,	5_2_01909780
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019097A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_019097A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909FE0 NtCreateMutant,LdrInitializeThunk,	5_2_01909FE0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909710 NtQueryInformationToken,LdrInitializeThunk,	5_2_01909710
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019096E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_019096E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_01909660
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019099D0 NtCreateProcessEx,	5_2_019099D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909950 NtQueueApcThread,	5_2_01909950
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019098A0 NtWriteVirtualMemory,	5_2_019098A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909820 NtEnumerateKey,	5_2_01909820
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190B040 NtSuspendThread,	5_2_0190B040
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190A3B0 NtGetContextThread,	5_2_0190A3B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909B00 NtSetValueKey,	5_2_01909B00
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A80 NtOpenDirectoryObject,	5_2_01909A80
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909A10 NtQuerySection,	5_2_01909A10
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019095F0 NtQueryInformationFile,	5_2_019095F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190AD30 NtSetContextThread,	5_2_0190AD30
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909520 NtWaitForSingleObject,	5_2_01909520
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909560 NtWriteFile,	5_2_01909560
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190A710 NtOpenProcessToken,	5_2_0190A710
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909730 NtQueryVirtualMemory,	5_2_01909730
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0190A770 NtOpenThread,	5_2_0190A770
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909770 NtSetInformationFile,	5_2_01909770
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909760 NtOpenProcess,	5_2_01909760
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019096D0 NtCreateKey,	5_2_019096D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909610 NtEnumerateValueKey,	5_2_01909610
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909650 NtQueryValueKey,	5_2_01909650
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01909670 NtQueryInformationProcess,	5_2_01909670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C195D0 NtClose,LdrInitializeThunk,	9_2_04C195D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19540 NtReadFile,LdrInitializeThunk,	9_2_04C19540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C196D0 NtCreateKey,LdrInitializeThunk,	9_2_04C196D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C196E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04C196E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19650 NtQueryValueKey,LdrInitializeThunk,	9_2_04C19650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04C19660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04C19FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04C19780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04C19710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19840 NtDelayExecution,LdrInitializeThunk,	9_2_04C19840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04C19860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C199A0 NtCreateSection,LdrInitializeThunk,	9_2_04C199A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04C19910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A50 NtCreateFile,LdrInitializeThunk,	9_2_04C19A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C195F0 NtQueryInformationFile,	9_2_04C195F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19560 NtWriteFile,	9_2_04C19560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19520 NtWaitForSingleObject,	9_2_04C19520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1AD30 NtSetContextThread,	9_2_04C1AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19670 NtQueryInformationProcess,	9_2_04C19670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19610 NtEnumerateValueKey,	9_2_04C19610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C197A0 NtUnmapViewOfSection,	9_2_04C197A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19760 NtOpenProcess,	9_2_04C19760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1A770 NtOpenThread,	9_2_04C1A770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19770 NtSetInformationFile,	9_2_04C19770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1A710 NtOpenProcessToken,	9_2_04C1A710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19730 NtQueryVirtualMemory,	9_2_04C19730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C198F0 NtReadVirtualMemory,	9_2_04C198F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C198A0 NtWriteVirtualMemory,	9_2_04C198A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1B040 NtSuspendThread,	9_2_04C1B040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19820 NtEnumerateKey,	9_2_04C19820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C199D0 NtCreateProcessEx,	9_2_04C199D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19950 NtQueueApcThread,	9_2_04C19950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A80 NtOpenDirectoryObject,	9_2_04C19A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A00 NtProtectVirtualMemory,	9_2_04C19A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A10 NtQuerySection,	9_2_04C19A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19A20 NtResumeThread,	9_2_04C19A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C1A3B0 NtGetContextThread,	9_2_04C1A3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C19B00 NtSetValueKey,	9_2_04C19B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009281C0 NtCreateFile,	9_2_009281C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009282F0 NtClose,	9_2_009282F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00928270 NtReadFile,	9_2_00928270
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009283A0 NtAllocateVirtualMemory,	9_2_009283A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009281BC NtCreateFile,	9_2_009281BC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_009282EC NtClose,	9_2_009282EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092826A NtReadFile,	9_2_0092826A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092839B NtAllocateVirtualMemory,	9_2_0092839B

Detected potential crypto function

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD2DB0	0_2_00DD2DB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD2520	0_2_00DD2520
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD4620	0_2_00DD4620
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD37E0	0_2_00DD37E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDB7E0	0_2_00DDB7E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD60D0	0_2_00DD60D0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD54C0	0_2_00DD54C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD60E0	0_2_00DD60E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD2499	0_2_00DD2499
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDA888	0_2_00DDA888
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6C08	0_2_00DD6C08
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6DC1	0_2_00DD6DC1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDB1F8	0_2_00DDB1F8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6999	0_2_00DD6999
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD45B7	0_2_00DD45B7
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD69A8	0_2_00DD69A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD455B	0_2_00DD455B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD1908	0_2_00DD1908
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD3249	0_2_00DD3249
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DDA218	0_2_00DDA218
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6BF8	0_2_00DD6BF8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6758	0_2_00DD6758
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD6748	0_2_00DD6748
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E6508	0_2_054E6508
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E3C48	0_2_054E3C48
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E5C00	0_2_054E5C00
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E07B8	0_2_054E07B8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E5E24	0_2_054E5E24
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E8620	0_2_054E8620
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E0040	0_2_054E0040
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E58D3	0_2_054E58D3
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EA3E3	0_2_054EA3E3
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E9208	0_2_054E9208
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E9A30	0_2_054E9A30
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ECD48	0_2_054ECD48
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ECD58	0_2_054ECD58
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED5D9	0_2_054ED5D9
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED5E8	0_2_054ED5E8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E64FB	0_2_054E64FB
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EB731	0_2_054EB731
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EC1C0	0_2_054EC1C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E9183	0_2_054E9183
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EC1B0	0_2_054EC1B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED048	0_2_054ED048
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED851	0_2_054ED851
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED860	0_2_054ED860
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E5BF0	0_2_054E5BF0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED3A1	0_2_054ED3A1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054ED3B0	0_2_054ED3B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EDA68	0_2_054EDA68
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C6B648	0_2_05C6B648
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C6459B	0_2_05C6459B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68DAE	0_2_05C68DAE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C645A8	0_2_05C645A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64553	0_2_05C64553
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C63168	0_2_05C63168
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68D31	0_2_05C68D31
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C630F0	0_2_05C630F0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64099	0_2_05C64099
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C640A8	0_2_05C640A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C60040	0_2_05C60040
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C60007	0_2_05C60007
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C66B80	0_2_05C66B80
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C66B90	0_2_05C66B90
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C637B0	0_2_05C637B0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68B50	0_2_05C68B50
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C68758	0_2_05C68758
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64ED8	0_2_05C64ED8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C64E78	0_2_05C64E78
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00401027	5_2_00401027
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041C82E	5_2_0041C82E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041A2A6	5_2_0041A2A6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041BABD	5_2_0041BABD
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00408C1A	5_2_00408C1A
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041B504	5_2_0041B504
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0041CE2B	5_2_0041CE2B
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018CF900	5_2_018CF900
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E4120	5_2_018E4120
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DB090	5_2_018DB090
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F20A0	5_2_018F20A0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019920A8	5_2_019920A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019928EC	5_2_019928EC
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01981002	5_2_01981002
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199E824	5_2_0199E824
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018FEBB0	5_2_018FEBB0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019803DA	5_2_019803DA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198DBD2	5_2_0198DBD2
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01992B28	5_2_01992B28
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019922AE	5_2_019922AE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018F2581	5_2_018F2581
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_019925DD	5_2_019925DD
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018DD5E0	5_2_018DD5E0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01992D07	5_2_01992D07
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018C0D20	5_2_018C0D20
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01991D55	5_2_01991D55
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018D841F	5_2_018D841F
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198D466	5_2_0198D466
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0199DFCE	5_2_0199DFCE
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01991FF1	5_2_01991FF1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_01992EF7	5_2_01992EF7
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_0198D616	5_2_0198D616
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 5_2_018E6E30	5_2_018E6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BE841F	9_2_04BE841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9D466	9_2_04C9D466
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA25DD	9_2_04CA25DD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C02581	9_2_04C02581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BED5E0	9_2_04BED5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BD0D20	9_2_04BD0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA1D55	9_2_04CA1D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA2D07	9_2_04CA2D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA2EF7	9_2_04CA2EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF6E30	9_2_04BF6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9D616	9_2_04C9D616
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CADFCE	9_2_04CADFCE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA1FF1	9_2_04CA1FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA28EC	9_2_04CA28EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BEB090	9_2_04BEB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C020A0	9_2_04C020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA20A8	9_2_04CA20A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C91002	9_2_04C91002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CAE824	9_2_04CAE824
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BF4120	9_2_04BF4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04BDF900	9_2_04BDF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA22AE	9_2_04CA22AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C8FA2B	9_2_04C8FA2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C903DA	9_2_04C903DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C9DBD2	9_2_04C9DBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04C0EBB0	9_2_04C0EBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04CA2B28	9_2_04CA2B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092C82E	9_2_0092C82E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092A2A6	9_2_0092A2A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00918C1A	9_2_00918C1A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00918C60	9_2_00918C60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00912D90	9_2_00912D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092B504	9_2_0092B504
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_0092CE2B	9_2_0092CE2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00912FB0	9_2_00912FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04BDB150 appears 45 times
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: String function: 018CB150 appears 45 times

Sample file is different than original file name gathered from version info

Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.348314984.0000000004F80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.346748080.0000000002EB0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.346748080.0000000002EB0000.00000004.00000001.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.348709437.0000000005180000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000000.00000002.348407890.00000000050A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000002.00000002.340682480.00000000000D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000003.00000000.341450128.00000000003F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000004.00000002.342956819.0000000000402000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilename vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000005.00000002.390665694.00000000019BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000005.00000002.389153954.0000000000E82000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe
Source: PO 367628usa.exe, 00000005.00000002.391187229.00000000034F9000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs PO 367628usa.exe
Source: PO 367628usa.exe	Binary or memory string: OriginalFilenameCspAlgorithmType.exeF vs PO 367628usa.exe

Uses 32bit PE files

Source: PO 367628usa.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.588488580.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.589496878.0000000002E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.589661592.0000000002E70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.347022763.00000000039F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.389944333.0000000001440000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.390287791.0000000001860000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.388446461.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.PO 367628usa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.PO 367628usa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: PO 367628usa.exe

Static PE information: Section: ^8+S|rz ZLIB complexity 1.00031485501

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/1@9/4

Source: C:\Users\user\Desktop\PO 367628usa.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 367628usa.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\PO 367628usa.exe 'C:\Users\user\Desktop\PO 367628usa.exe'
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 367628usa.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process created: C:\Users\user\Desktop\PO 367628usa.exe C:\Users\user\Desktop\PO 367628usa.exe	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 367628usa.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD0B91 pushfd ; iretd	0_2_00DD0B9E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD436F push edx; retf	0_2_00DD4373
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_00DD4365 push edx; retf	0_2_00DD4369
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EA96E push ebx; retf	0_2_054EA96F
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054EA964 push ebx; retf	0_2_054EA965
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_054E3390 push 83085F8Bh; ret	0_2_054E33F6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 0_2_05C6732C push E8C84D8Bh; iretd	0_2_05C672ED
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5632 push cs; retf	2_2_000D5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D304A push ds; retf	2_2_000D30A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5668 push cs; retf	2_2_000D567E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5A6A push ss; retf	2_2_000D5A6E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5680 push cs; retf	2_2_000D56C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5BA2 push ds; retf	2_2_000D5BA6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5BB4 push ds; retf	2_2_000D5BC4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D53B6 push cs; retf	2_2_000D5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 2_2_000D5BC6 push ds; retf	2_2_000D5BCA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5632 push cs; retf	3_2_003F5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5A6A push ss; retf	3_2_003F5A6E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5668 push cs; retf	3_2_003F567E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F304A push ds; retf	3_2_003F30A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F53B6 push cs; retf	3_2_003F5642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5BB4 push ds; retf	3_2_003F5BC4
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5BA2 push ds; retf	3_2_003F5BA6
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5680 push cs; retf	3_2_003F56C0
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 3_2_003F5BC6 push ds; retf	3_2_003F5BCA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_0040304A push ds; retf	4_2_004030A8
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405668 push cs; retf	4_2_0040567E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405A6A push ss; retf	4_2_00405A6E
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405632 push cs; retf	4_2_00405642
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405BC6 push ds; retf	4_2_00405BCA
Source: C:\Users\user\Desktop\PO 367628usa.exe	Code function: 4_2_00405680 push cs; retf	4_2_004056C0

Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO 367628usa.exe PID: 6596, type: MEMORY

Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO 367628usa.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO 367628usa.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000009185E4 second address: 00000000009185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 000000000091897E second address: 0000000000918984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO 367628usa.exe TID: 6600	Thread sleep time: -101657s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO 367628usa.exe	Thread delayed: delay time: 101657			Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.371026456.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.371059787.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.367358532.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.371235181.000000000851A000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: raserver.exe, 00000009.00000002.589860170.0000000002F07000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.371286813.0000000008552000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.367358532.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.371026456.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PO 367628usa.exe, 00000000.00000002.346118335.00000000029F3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000006.00000000.370907968.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.370907968.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.371059787.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000006.00000002.589360759.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000006.00000000.366615816.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO 367628usa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Domain query: www.bridgestreetresources.com
Source: C:\Windows\explorer.exe	Domain query: www.uuoouu-90.store
Source: C:\Windows\explorer.exe	Domain query: www.patricksparber.com
Source: C:\Windows\explorer.exe	Domain query: www.servantsheartvalet.com
Source: C:\Windows\explorer.exe	Domain query: www.meucamarimoficial.com
Source: C:\Windows\explorer.exe	Network Connect: 66.235.200.147 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.m-kenterprises.com
Source: C:\Windows\explorer.exe	Network Connect: 156.253.106.229 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 209.182.202.96 80	Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\PO 367628usa.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 3440			Jump to behavior

Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000006.00000002.590088493.0000000000EE0000.00000002.00000001.sdmp, raserver.exe, 00000009.00000002.590224656.0000000003460000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Users\user\Desktop\PO 367628usa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 367628usa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
156.253.106.229	www.patricksparber.com	Seychelles	136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true
34.102.136.180	m-kenterprises.com	United States	15169	GOOGLEUS	false
209.182.202.96	servantsheartvalet.com	United States	22611	IMH-WESTUS	true
66.235.200.147	bridgestreetresources.com	United States	13335	CLOUDFLARENETUS	true

Analysis Report PO 367628usa.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.bridgestreetresources.com/meub/?5jYHTPD=wcKMzz9mAcCi2aLb0t1qtV86GlMNvZH+VyhKA1jT/I4bq+nb0/na/dj3wGs+8qrOUrJA87J5aQ==&W2MTZ=5jyDHn6x2rY	true	Avira URL Cloud: safe	unknown
http://www.m-kenterprises.com/meub/?5jYHTPD=AHOwzMgiYatzzgqEm8fFrRw5FyeBXJPWAn72SIj91D3zxHtkj2kvoxgZPNykIH4K/OrW/jgvcw==&W2MTZ=5jyDHn6x2rY	false	Avira URL Cloud: safe	unknown
http://www.servantsheartvalet.com/meub/?5jYHTPD=WGLirrwFUtYpDXzpLjvBuZZEIXcS0L/7kvp4uO4ypDpemvycQ/ZH3e36klWLP588DVSUgz18wg==&W2MTZ=5jyDHn6x2rY	true	Avira URL Cloud: safe	unknown
www.uuoouu-90.store/meub/	true	Avira URL Cloud: safe	low
http://www.shadyshainarae.com/meub/?5jYHTPD=IF6wwdQ2GC/v5+zeo737nU5N5nLUvdsVBqkfZ3TmK32/J3TLHA8Ym95CSjw9+1sG86DK55WYOQ==&W2MTZ=5jyDHn6x2rY	false	Avira URL Cloud: safe	unknown

ID:	412247
Product:	CloudBasic
Start time:	14:42:17
Start date:	12.05.2021
Sample:	PO 367628usa.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	42cf4c3943d5a839412a16a4d8b8d65d
SHA1:	f26230352a412de0ca8b1ffc6fc07838b878a68a
SHA256:	1ceec55d4acbb8db907798df6b1be5832f32d2d4e459c5bd08d0252a0763b30c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%