Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Overview

General Information

Sample Name:Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Analysis ID:432567
MD5:b148ae414eb8a1b34a15cdb32c21f9ee
SHA1:25b78f76010cc34843352c78d4f8e07a28b46b32
SHA256:193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)
    • Proforma Invoice and Bank swift-REG.PI-0086547654.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 5888 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6764 cmdline: /c del 'C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeVirustotal: Detection: 29%Perma Link
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeJoe Sandbox ML: detected
          Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.raserver.exe.51c7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.raserver.exe.30cde50.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.650872254.0000000009990000.00000004.00000001.sdmp, Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmp, raserver.exe, 00000007.00000002.914611006.0000000004DAF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704478667.0000000000940000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.695638149.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 4x nop then pop esi2_2_0041583E
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 4x nop then pop ebx2_2_00406A96
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi7_2_00AC583E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx7_2_00AB6A96

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49757 -> 121.254.178.252:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 85.159.66.93:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 35.205.61.67:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 37.48.65.148:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rebeccannemontgomery.net/dp3a/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.hireinone.xyz
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kladios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.hireinone.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.closetofaurora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H HTTP/1.1Host: www.28ji.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kingguardgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.rebeccannemontgomery.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ HTTP/1.1Host: www.pecon.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
          Source: Joe Sandbox ViewASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=rT959XFbghPJVv5hpca1PvfPcVCtnqQ7MGzQwkslu+qbfaQ1OXZa8AaW+DloN+T+QKhF HTTP/1.1Host: www.theyogirunner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=9p/K3n16Mfij3JUlf4zaR/Rujbmkv/CDhZs1M9Rj6A9SEkbuvv/NT9LewVshmGfbFjhm&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kladios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=gNGby8oVX6PgZB5GWA7CusOGqzi3GywYGs/3OTvKjB1NulubMkWwqj/edMXwHBCob9Lh&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.hireinone.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=gKBh5mJw+OBG/cLQbNfpnnQYqc+45jCeSmhHkERkUIltQJh3+jBq8zykiXiJ5ld+SMHF&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.closetofaurora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=/zMHFgDZZhoYLr+uNA/LZaIwAqqHNoUyccNHiXKU1Oc8waRhqa0xV5lesUE3sQ0wja+H HTTP/1.1Host: www.28ji.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=+9xVWhQ3YZdKS9LSdJD9Q5IGOGjZWYGRUC/PBrhb5+8EiR866LajmsNw/hU5zOKELtJS&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.kingguardgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?GR-d=ayCA4X1Kl09ymHiLnx81tYxQpS3YxUUFxhK9zdH9kq/gCaIMsyBIYQcEhhLQSA14VAsf&nPTdU=-ZoHnNt0frfd2Hn HTTP/1.1Host: www.rebeccannemontgomery.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?nPTdU=-ZoHnNt0frfd2Hn&GR-d=qfgFr8ieK4pb0oEJahXrwfByJwdYjuIB81dpFpRA2DwOSKuw2QjIPW4nYRzvvZDFGDPJ HTTP/1.1Host: www.pecon.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.theyogirunner.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 12:36:44 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 70 33 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dp3a/ was not found on this server.</p></body></html>
          Source: raserver.exe, 00000007.00000002.915003619.0000000005342000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.659286527.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.676338868.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.704014446.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.704436953.00000000008F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.914091207.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.913473779.0000000000AB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Proforma Invoice and Bank swift-REG.PI-0086547654.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_004181C0 NtCreateFile,2_2_004181C0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00418270 NtReadFile,2_2_00418270
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_004182F0 NtClose,2_2_004182F0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_004183A0 NtAllocateVirtualMemory,2_2_004183A0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_004181BC NtCreateFile,2_2_004181BC
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_004182EB NtClose,2_2_004182EB
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_0041839B NtAllocateVirtualMemory,2_2_0041839B
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B298F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00B298F0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00B29860
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29840 NtDelayExecution,LdrInitializeThunk,2_2_00B29840
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B299A0 NtCreateSection,LdrInitializeThunk,2_2_00B299A0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00B29910
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29A20 NtResumeThread,LdrInitializeThunk,2_2_00B29A20
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00B29A00
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29A50 NtCreateFile,LdrInitializeThunk,2_2_00B29A50
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B295D0 NtClose,LdrInitializeThunk,2_2_00B295D0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29540 NtReadFile,LdrInitializeThunk,2_2_00B29540
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B296E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00B296E0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00B29660
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B297A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00B297A0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29780 NtMapViewOfSection,LdrInitializeThunk,2_2_00B29780
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29FE0 NtCreateMutant,LdrInitializeThunk,2_2_00B29FE0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29710 NtQueryInformationToken,LdrInitializeThunk,2_2_00B29710
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B298A0 NtWriteVirtualMemory,2_2_00B298A0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29820 NtEnumerateKey,2_2_00B29820
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B2B040 NtSuspendThread,2_2_00B2B040
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B299D0 NtCreateProcessEx,2_2_00B299D0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29950 NtQueueApcThread,2_2_00B29950
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29A80 NtOpenDirectoryObject,2_2_00B29A80
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29A10 NtQuerySection,2_2_00B29A10
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B2A3B0 NtGetContextThread,2_2_00B2A3B0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29B00 NtSetValueKey,2_2_00B29B00
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B295F0 NtQueryInformationFile,2_2_00B295F0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B2AD30 NtSetContextThread,2_2_00B2AD30
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29520 NtWaitForSingleObject,2_2_00B29520
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29560 NtWriteFile,2_2_00B29560
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B296D0 NtCreateKey,2_2_00B296D0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29610 NtEnumerateValueKey,2_2_00B29610
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29670 NtQueryInformationProcess,2_2_00B29670
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29650 NtQueryValueKey,2_2_00B29650
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29730 NtQueryVirtualMemory,2_2_00B29730
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B2A710 NtOpenProcessToken,2_2_00B2A710
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29770 NtSetInformationFile,2_2_00B29770
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B2A770 NtOpenThread,2_2_00B2A770
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B29760 NtOpenProcess,2_2_00B29760
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_1_004181C0 NtCreateFile,2_1_004181C0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_1_00418270 NtReadFile,2_1_00418270
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_1_004182F0 NtClose,2_1_004182F0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_1_004183A0 NtAllocateVirtualMemory,2_1_004183A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF95D0 NtClose,LdrInitializeThunk,7_2_04CF95D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9540 NtReadFile,LdrInitializeThunk,7_2_04CF9540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF96D0 NtCreateKey,LdrInitializeThunk,7_2_04CF96D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04CF96E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9650 NtQueryValueKey,LdrInitializeThunk,7_2_04CF9650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04CF9660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9FE0 NtCreateMutant,LdrInitializeThunk,7_2_04CF9FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9780 NtMapViewOfSection,LdrInitializeThunk,7_2_04CF9780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9710 NtQueryInformationToken,LdrInitializeThunk,7_2_04CF9710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9840 NtDelayExecution,LdrInitializeThunk,7_2_04CF9840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04CF9860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF99A0 NtCreateSection,LdrInitializeThunk,7_2_04CF99A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04CF9910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9A50 NtCreateFile,LdrInitializeThunk,7_2_04CF9A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF95F0 NtQueryInformationFile,7_2_04CF95F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9560 NtWriteFile,7_2_04CF9560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9520 NtWaitForSingleObject,7_2_04CF9520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CFAD30 NtSetContextThread,7_2_04CFAD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9670 NtQueryInformationProcess,7_2_04CF9670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9610 NtEnumerateValueKey,7_2_04CF9610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF97A0 NtUnmapViewOfSection,7_2_04CF97A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9760 NtOpenProcess,7_2_04CF9760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CFA770 NtOpenThread,7_2_04CFA770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9770 NtSetInformationFile,7_2_04CF9770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CFA710 NtOpenProcessToken,7_2_04CFA710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9730 NtQueryVirtualMemory,7_2_04CF9730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF98F0 NtReadVirtualMemory,7_2_04CF98F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF98A0 NtWriteVirtualMemory,7_2_04CF98A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CFB040 NtSuspendThread,7_2_04CFB040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9820 NtEnumerateKey,7_2_04CF9820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF99D0 NtCreateProcessEx,7_2_04CF99D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9950 NtQueueApcThread,7_2_04CF9950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9A80 NtOpenDirectoryObject,7_2_04CF9A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9A00 NtProtectVirtualMemory,7_2_04CF9A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9A10 NtQuerySection,7_2_04CF9A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9A20 NtResumeThread,7_2_04CF9A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CFA3B0 NtGetContextThread,7_2_04CFA3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CF9B00 NtSetValueKey,7_2_04CF9B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AC81C0 NtCreateFile,7_2_00AC81C0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AC82F0 NtClose,7_2_00AC82F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AC8270 NtReadFile,7_2_00AC8270
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AC83A0 NtAllocateVirtualMemory,7_2_00AC83A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AC81BC NtCreateFile,7_2_00AC81BC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AC82EB NtClose,7_2_00AC82EB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AC839B NtAllocateVirtualMemory,7_2_00AC839B
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 0_2_6F731A980_2_6F731A98
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_0041D0422_2_0041D042
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_0041CB692_2_0041CB69
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00408C5B2_2_00408C5B
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00408C602_2_00408C60
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_0041CF4E2_2_0041CF4E
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B120A02_2_00B120A0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB20A82_2_00BB20A8
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00AFB0902_2_00AFB090
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB28EC2_2_00BB28EC
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B0A8302_2_00B0A830
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BBE8242_2_00BBE824
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BA10022_2_00BA1002
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B099BF2_2_00B099BF
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B041202_2_00B04120
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00AEF9002_2_00AEF900
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB22AE2_2_00BB22AE
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BA4AEF2_2_00BA4AEF
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B9FA2B2_2_00B9FA2B
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B1EBB02_2_00B1EBB0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B923E32_2_00B923E3
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BA03DA2_2_00BA03DA
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BADBD22_2_00BADBD2
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B1ABD82_2_00B1ABD8
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB2B282_2_00BB2B28
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B0A3092_2_00B0A309
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B0AB402_2_00B0AB40
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B8CB4F2_2_00B8CB4F
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BA44962_2_00BA4496
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00AF841F2_2_00AF841F
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B0B4772_2_00B0B477
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BAD4662_2_00BAD466
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B125812_2_00B12581
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BA2D822_2_00BA2D82
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00AFD5E02_2_00AFD5E0
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB25DD2_2_00BB25DD
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00AE0D202_2_00AE0D20
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB2D072_2_00BB2D07
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB1D552_2_00BB1D55
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB2EF72_2_00BB2EF7
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00B06E302_2_00B06E30
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BAD6162_2_00BAD616
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BB1FF12_2_00BB1FF1
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_2_00BBDFCE2_2_00BBDFCE
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: 2_1_0041D0422_1_0041D042
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D744967_2_04D74496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D7D4667_2_04D7D466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CC841F7_2_04CC841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D825DD7_2_04D825DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CCD5E07_2_04CCD5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CE25817_2_04CE2581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D72D827_2_04D72D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D81D557_2_04D81D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D82D077_2_04D82D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CB0D207_2_04CB0D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D82EF77_2_04D82EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D7D6167_2_04D7D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CD6E307_2_04CD6E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D8DFCE7_2_04D8DFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D81FF17_2_04D81FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D828EC7_2_04D828EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CCB0907_2_04CCB090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CE20A07_2_04CE20A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D820A87_2_04D820A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D710027_2_04D71002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D8E8247_2_04D8E824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CDA8307_2_04CDA830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CD99BF7_2_04CD99BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CBF9007_2_04CBF900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CD41207_2_04CD4120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D74AEF7_2_04D74AEF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D822AE7_2_04D822AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D6FA2B7_2_04D6FA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D7DBD27_2_04D7DBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D703DA7_2_04D703DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CEABD87_2_04CEABD8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D623E37_2_04D623E3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CEEBB07_2_04CEEBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CDAB407_2_04CDAB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04CDA3097_2_04CDA309
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_04D82B287_2_04D82B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00ACD0427_2_00ACD042
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00ACCB697_2_00ACCB69
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AB8C607_2_00AB8C60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AB8C5B7_2_00AB8C5B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AB2D877_2_00AB2D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AB2D907_2_00AB2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00AB2FB07_2_00AB2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00ACCF4E7_2_00ACCF4E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04CBB150 appears 133 times
          Source: C:\Users\user\Desktop\Proforma Invoice and Bank swift-REG.PI-0086547654.exeCode function: String function: 00AEB150 appears 136 times
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000000.00000003.647610440.0000000009C3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704494044.0000000000959000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, 00000002.00000002.704631628.0000000000BDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice and Bank swift-REG.PI-0086547654.exe
          Source: Proforma Invoice and Bank swift-REG.PI-0086547654.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.655317494.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.652838419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.704410667.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.914114145.0000000003000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you